b'Report No. D-2007-099              June 13, 2007\n\n\n\n\n                DoD Privacy Program\n           and Privacy Impact Assessments\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Department of\n  Defense Inspector General at http://www.dodig.mil/audit/reports or contact the\n                                U                                   U\n\n\n\n\n  Secondary Reports Distribution Unit at (703) 604-8937 (DSN 664-8937) or fax\n  (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Office of the Deputy\n  Inspector General for Auditing at (703) 604-9142 (DSN 664-9142) or fax (703)\n  604-8932. Ideas and requests can also be mailed to:\n\n                       ODIG-AUD (ATTN: Audit Suggestions)\n                       Department of Defense Inspector General\n                         400 Army Navy Drive (Room 801)\n                             Arlington, VA 22202-4704\n\n\n\n\nAcronyms\n\nASD(NII)              Assistant Secretary of Defense for Networks and Information\n                         Integration\nCIO                   Chief Information Officer\nDITPR                 DoD Information Technology Portfolio Repository\nFISMA                 Federal Information Security Management Act\nFOIA                  Freedom of Information Act\nGAO                   Government Accountability Office\nIA                    Information Assurance\nIT                    Information Technology\nOMB                   Office of Management and Budget\nPIA                   Privacy Impact Assessment\n\x0c                              INSPECTOR GENERAL \n\n                            DEPARTMENT OF DEFENSE \n\n                             400 ARMY NAVY DRIVE \n\n                        ARLINGTON, VIRGINIA 22202-4704 \n\n\n\n                                                                                   June 13,2007\nMEMORANDUM FOR ASSISTANT SECRETARY OF DEFENSE FOR NETWORKS AND\n                 INFORMATION INTEGRATION/DOD CHIEF INFORMATION\n                 OFFICER\n                 DIRECTOR OF ADMINISTRATION AND MANAGEMENT\n\nSUBJECT: Report on Audit of DoD Privacy Program and Privacy Impact Assessments\n         (Report No. D-2007-099)\n\n     We are providing this report for review and comment. We considered management\ncomments on a draft of this report when preparing the final report.\n\n        DoD Directive 7650.3 requires that all recommendations be resolved promptly. The\nAssistant Secretary of Defense for Networks and Information Integration/DoD Chief\nInformation Officer comments were fully responsive to twelve recommendations and partially\nresponsive to three recommendations. We request additional comments from the Assistant\nSecretary of Defense for Networks and Information Integration/DoD Chief Information Officer\non Recommendations C.l.a., C.2.a., and C.2.c. The Director of Administration and\nManagement comments were fully responsive to one recommendation, partially responsive to\ntwo recommendations, and not responsive to seven recommendations. We request additional\ncomments from the Director of Administration and Management on all recommendations with\npartial or not responsive comments. The Naval Postgraduate School comments were fully\nresponsive and do not require additional comment. Therefore, we request that the Assistant\nSecretaiy of Defense for Networks and Information Integration/DoD Chief Information Officer\nand Director of Administration and Management provide comments by July 13, 2007.\n\n        If possible, please send management comments in electronic format (Adobe Acrobat\nfile only) to AudROS@dodig.mil. Copies of the management comments must contain the\nactual signature of the authorizing official. We cannot accept the / Signed / symbol in place of\nthe actual signature. If you arrange to send classified comments electronically, they must be\nsent over the SECRET Internet Protocol Router Network (SIPRNET).\n\n         We appreciate the courtesies extended to the staff. Questions should be directed to\nMs. Kathryn M. Truex at (703) 604-8966 (DSN 664-8966) or Mr. Robert R. Johnson at (703)\n604-9024 (DSN 664-9024). See Appendix D for the report distribution. The team members\nare listed inside the back cover.\n\n                                   By direction of the Deputy Inspector General for Auditing:\n\n\n\n                                            Wanda A. Scott\n                                            Assistant Inspector General\n                                            Readiness and Operations Support\n\x0c                Department of Defense Office of Inspector General\nReport No. D-2007-099                                                         June 13, 2007\n   (Project No. D2006-D000AL-0087.000)\n\n          DoD Privacy Program and Privacy Impact Assessments\n\n                                 Executive Summary\n\nWho Should Read This Report and Why? The Assistant Secretary of Defense for\nNetworks and Information Integration/DoD Chief Information Officer; Director of\nAdministration and Management, Office of the Secretary of Defense; Director, DoD\nPrivacy Office; and Privacy and Chief Information Officers of the Military Departments\nand DoD Components should read this report to obtain information about the\nimplementation of the DoD Privacy and Privacy Impact Assessment Programs. This report\ndiscusses how DoD Components may be operating information systems that may not\nprevent the compromise and misuse of the public\xe2\x80\x99s personally identifiable information.\n\nBackground. In establishing the Privacy Act of 1974, Title 5 U.S.C. \xc2\xa7 552a (as\namended), Congress found that the right to privacy is a personal and fundamental right\nprotected by the Constitution of the United States. The intent of the Privacy Act is to\nrequire Federal agencies to protect individuals against unwarranted invasions of their\nprivacy through limiting the collection, maintenance, use, and disclosure of personal\ninformation about them. The Act requires that Federal agencies establish information\npractices that restrict disclosure of personally identifiable records and grants individuals\nincreased access to agency records maintained on them.\n\nThe Office of Management and Budget required agency heads to designate a senior\nofficial within the agency to assume primary responsibility for privacy policy. The\nDirector, Administration and Management, Office of the Secretary of Defense, is the\ndesignated DoD Senior Privacy Officer. The Director is required to report annually to\nthe Office of Management and Budget on the DoD Privacy Program. The annual privacy\nreport is currently included as an appendix to the DoD statutory report prepared for\nsection 3545, Public Law 107-347, Title III, \xe2\x80\x9cFederal Information Security Management\nAct (FISMA),\xe2\x80\x9d December 17, 2002, of the E-Government Act of 2002.\n\nThe E-Government Act additionally requires that Federal agencies protect the collection\nof personal information in Federal government information systems by requiring that\nagencies conduct Privacy Impact Assessments. A Privacy Impact Assessment is an\nanalysis of how personal information is collected, stored, shared, and managed in Federal\ninformation technology systems. The Assistant Secretary of Defense for Networks and\nInformation Integration/DoD Chief Information Officer is the principal staff assistant for\ninformation technology matters relating to DoD Privacy Impact Assessments.\n\nWe visited officials from the offices of the Defense Privacy Officer and the DoD Chief\nInformation Officer, the Departments of the Army, the Navy, and the Air Force, the\nDefense Threat Reduction Agency, the Washington Headquarters Service, and the\nTRICARE Management Activity and 12 subordinate program offices responsible for the\nsecurity and privacy of the specific information technology systems selected for review.\n\nResults. We performed the audit to determine whether DoD Components reported\nconsistent and valid information to the Office of the Secretary of Defense, the Office of\n\x0cManagement and Budget, and the Congress regarding management and protection of\npersonal information related to the DoD Privacy Program. We also evaluated DoD\ncompliance with Privacy Impact Assessment requirements and determined whether\nsafeguards were established to prevent the compromise and misuse of personal\ninformation during its storage or transfer and were in accordance with Office of\nManagement and Budget and DoD guidance implementing the Privacy and\nE-Government Acts.\n\nDoD Components did not consistently implement Privacy Program policy for reporting,\ncollecting, safeguarding, maintaining, using, and disseminating personal information.\nSpecifically, DoD Components did not prepare system notices for systems of records,\nmark documents with mandatory privacy statements, designate privacy officer\nresponsibilities, or conduct privacy training. As a result, the personal information\ncontained in DoD information systems could be vulnerable to access by unauthorized\npersonnel, and/or for unauthorized purposes (finding A).\n\nDoD Components did not comply with the requirements of the E-Government Act of\n2002 Privacy Impact Assessment program. Specifically, DoD Components did not\nestablish responsibilities for conducting, reviewing, approving, and reporting Privacy\nImpact Assessments or posting those assessments to public Web sites. As a result, DoD\ninformation systems may not conform to DoD and Federal policies that protect handling,\ncollecting, maintaining and disseminating privacy information. Additionally, DoD\nComponents may be operating information systems that may not be designed to prevent\nthe compromise and misuse of the public\xe2\x80\x99s personally identifiable information\n(finding B).\n\nDoD Components did not complete Privacy Impact Assessments for information systems\ncontaining personally identifiable information or accurately report Privacy Impact\nAssessment information in the DoD Information Technology Portfolio Repository. As a\nresult, Component Chief Information Officers could not report accurate information from\nthe DoD Information Technology Portfolio Repository to the DoD Chief Information\nOfficer, the Office of Management and Budget, and the Congress. Additionally, security\nrisks associated with the protection of personal information may not be evaluated,\nleaving the systems and the public\xe2\x80\x99s information vulnerable to compromise or misuse\n(finding C).\n\nSee the Findings section of the report for the detailed recommendations.\n\nWe found weaknesses in the DoD Component\xe2\x80\x99s Management Control Programs for\nreporting Privacy Impact Assessment information in the DoD Information Technology\nPortfolio Repository and implementing privacy programs. For specific results of those\nweaknesses, see the Finding sections of the report. The recommendations, if\nimplemented, will correct the identified weaknesses.\n\nManagement Comments and Audit Response. The Assistant Secretary of Defense for\nNetworks and Information Integration, Deputy Chief Information Officer concurred with\n14 recommendations and partially concurred with 1 recommendation. However, the\nAssistant Secretary of Defense for Networks and Information Integration, Deputy Chief\nInformation Officer comments were fully responsive to 11 recommendations and only\npartially responsive to 4 recommendations. We agreed with the proposed actions for\nestablishing internal controls, evaluating the inventory of systems, and implementing\nautomated controls in the DoD Information Technology Portfolio Repository, but we\nrequest additional details on the actions. The DoD Senior Privacy Official, Office of the\nDirector of Administration and Management generally concurred with the findings but\n\n                                            ii\n\x0cnot with the recommendations. The comments stated that the Component Federal\nInformation Security Management Act Privacy reporting, which includes assessing\nwhether training programs are ensuring that personnel are generally familiar with privacy\npolicies, is a more effective tool for overseeing and reviewing Component compliance\nwith program requirements. The comments also stated that biannual certification\nrequirements would not remedy the training problems identified in the report. The\ncomments repeatedly stated that the current DoD Regulation on Privacy provides\nguidance on training, that the revised Regulation has been expanded to provide additional\nguidance as well, that Chief Information Officers do not have a direct role in the Privacy\nProgram, and that Chief Information Officers do have a critical role to play regarding\nPrivacy. Additionally, the comments stated that neither the Privacy Act nor the DoD\nguidance requires that a Privacy Act statement be provided by a third party who is\nfurnishing information about an individual. We determined one of the DoD Senior\nPrivacy Official\xe2\x80\x99s comments to be fully responsive, two comments as partially\nresponsive, and seven comments as not responsive. Therefore, we request that the\nDirector of Administration and Management provide additional comments on these\nrecommendations by July 13, 2007.\n\nThe Chief of Staff, Naval Postgraduate School concurred with the recommendations;\ntherefore, no further comments are required. We request that the Assistant Secretary of\nDefense for Networks and Information Integration/DoD Chief Information Officer and\nthe Director of Administration provide comments on the final report by July 13, 2007.\n\nAlthough not required to comment, the Department of the Navy and the Department of\nthe Air Force sent unsolicited comments. The Chief Information Officer, Department of\nthe Navy concurs with the need to update the Department of the Navy Privacy Instruction\nto reflect changes in the management of the Privacy Program, policies, and practices.\nThe Director, Information Services and Integration (Office of Warfighting Integration\nand Chief Information Officer), Department of the Air Force, concurs with the audit\nfindings and recommendations associated with the Privacy Act Program and Privacy\nImpact Assessments. See the Findings section of the report for a discussion of\nmanagement comments and the Management Comments section of the report for the\ncomplete text of the comments.\n\n\n\n\n                                            iii\n\x0cTable of Contents \n\n\nExecutive Summary \t                                                          i\n\n\nBackground \t                                                                 1\n\n\nObjectives \t                                                                 2\n\n\nReview of Internal Controls \t                                                2\n\n\nFindings\n      A. DoD Privacy Program\t                                                4\n\n      B. Privacy Impact Assessments \t                                       17 \n\n      C. Reporting in the DoD Information Technology Portfolio Repository   28 \n\n\nAppendixes\n      A. Scope and Methodology \t                                            38 \n\n          Prior Coverage                                                    40 \n\n      B. Forms Without Privacy Act Statements \t                             41 \n\n      C. Systems Reviewed for Privacy Impact Assessments in the DoD \n\n           Information Technology Portfolio Repository                      42 \n\n      D. Report Distribution \t                                              44 \n\n\nManagement Comments\n      Assistant Secretary of Defense for Networks and Information\n         Integration/DoD Chief Information Officer \t                        47 \n\n      Director of Administration and Management \t                           53 \n\n      Naval Postgraduate School \t                                           58 \n\n      Department of the Navy \t                                              61 \n\n      Department of the Air Force \t                                         63 \n\n\x0cBackground\n    Privacy Act of 1974. In establishing the Privacy Act of 1974, Title 5, U. S. C.\n    \xc2\xa7 552a (as amended), Congress found that the right to privacy is a personal and\n    fundamental right protected by the Constitution of the United States (see Public\n    Law 93-579, 88 Stat. 1896, section 2). The objective of the Privacy Act is to\n    balance the Government\xe2\x80\x99s need to maintain information about individuals with\n    the requirement that agencies protect individuals\xe2\x80\x99 rights against unwarranted\n    invasions of their privacy through limitations on the collection, maintenance, use,\n    and disclosure of personal individuals\xe2\x80\x99 information. The Act requires Federal\n    agencies to establish information practices that restrict disclosure of personally\n    identifiable records and grant individuals access to agency records maintained on\n    them.\n\n    The Office of Management and Budget (OMB) Memorandum 99-05\n    Attachment A, \xe2\x80\x9cPrivacy and Personal Information in Federal Records\xe2\x80\x9d May 14,\n    1998, required agency heads to designate a senior official within the agency to\n    assume primary responsibility for privacy policy. The Director, Administration\n    and Management, Office of the Secretary of Defense, is the designated DoD\n    Senior Privacy Officer and is responsible for implementing the DoD Privacy\n    Program. The Director is required to report annually to OMB on the DoD Privacy\n    Program. The annual privacy report is currently included as an appendix to the\n    DoD statutory report prepared for Public Law 107-347, Title III, Section 301,\n    44 U.S.C. \xc2\xa7 3545 \xe2\x80\x9cFederal Information Security Management Act (FISMA),\xe2\x80\x9d\n    December 17, 2002, of the E-Government Act of 2002.\n\n    E-Government Act of 2002. The E-Government Act requires that Federal\n    agencies protect the collection of personal information in Federal Government\n    information systems by requiring that agencies conduct Privacy Impact\n    Assessments (PIA). A PIA is an analysis of how personal information is\n    collected, stored, shared, and managed in Federal information technology\n    systems. OMB Memorandum 03-22, \xe2\x80\x9cOMB Guidance for Implementing the\n    Privacy Provisions of the E-Government Act of 2002,\xe2\x80\x9d September 26, 2003,\n    provides guidance to Federal agencies for implementing the privacy provision of\n    the E-Government Act. OMB requires that Federal agencies conduct reviews of\n    how information about an individual is handled within their agency when IT is\n    used to collect, store, share, and manage personally identifiable information.\n\n    The Assistant Secretary of Defense Networks and Information\n    Integration/DoD Chief Information Officer (CIO) is the principal staff assistant\n    for information technology matters relating to DoD PIAs and is responsible for\n    issuing guidance for conducting, reviewing, and publishing PIAs. Deputy\n    DoD CIO Memorandum, \xe2\x80\x9cDepartment of Defense (DoD) Privacy Impact\n    Assessment (PIA) Guidance,\xe2\x80\x9d October 28, 2005, requires that system owners\n    conduct a PIA on \xe2\x80\x9call new or significantly altered Information Technology (IT\n    systems or projects that collect, maintain, or disseminate personal information\n    from or about members of the public - excluding information on DoD\n    personnel).\xe2\x80\x9d The DoD PIA Guidance requires that the Component CIO review\n    and approve PIAs and forward approved PIAs to the DoD CIO and OMB.\n\n\n\n                                         1\n\n\x0c           We reviewed the Privacy and CIO offices for DoD, the Departments of the Army,\n           the Navy, and the Air Force, the Defense Threat Reduction Agency, the\n           TRICARE Management Activity, and the Washington Headquarters Service\n           12 subordinate program offices responsible for the security and privacy of the\n           individual systems selected for review. We selected 18 systems for which PIA\n           information was reported in the DoD Information Technology Portfolio\n           Repository (DITPR). DITPR is, by policy, the Department\xe2\x80\x99s authoritative\n           unclassified inventory of IT systems and the repository for system information\n           used to meet a wide variety of internal and external reporting requirements.\n\n\nObjectives\n           The overall objective of the audit was to determine whether DoD Components\n           report consistent and valid information to the Office of the Secretary of Defense,\n           OMB, and Congress regarding management and protection of personal\n           information related to the DoD Privacy Program. We evaluated DoD compliance\n           with PIA requirements and determined whether safeguards were in place that\n           would prevent compromise and misuse of personal information while stored or\n           while in transfer and whether they were in accordance with the OMB and DoD\n           guidance. We also reviewed the Management Control Program as it related to the\n           overall objective. See Appendix A for a discussion of audit scope and\n           methodology and prior audit coverage related to the overall objective.\n\n\nReview Of Internal Controls 1                    F\n\n\n\n\n           DoD Directive 5010.38, \xe2\x80\x9cManagement Control (MC) Program,\xe2\x80\x9d August 26, 1996,\n           and DoD Instruction 5010.40, \xe2\x80\x9cManagement Control (MC) Program Procedures,\xe2\x80\x9d\n           August 28, 1996, require DoD organizations to implement a comprehensive\n           system of management controls that provides reasonable assurance that programs\n           are operating as intended and to evaluate the adequacy of the controls.\n\n           Scope of the Review of the Management Control Program. We performed\n           tests of the Management Control Program by performing the procedures used to\n           accomplish our objectives. The objective was to determine whether DoD\n           Components report consistent and valid information to the Office of the Secretary\n           of Defense, OMB, and Congress regarding management and protection of\n           personal information related to the DoD Privacy and PIA programs. By\n           performing the procedures to review those programs, we, in effect, tested the\n           Management Control Program for the DoD Privacy and PIA programs.\n\n\n1\n    Our review of the internal controls was done under the auspices of DoD Directive 5010.38, \xe2\x80\x9cManagement\n    Control (MC) Program,\xe2\x80\x9d August 26, 1996, and DoD Instruction 5010.40, \xe2\x80\x9cManagement Control (MC)\n    Program Procedures,\xe2\x80\x9d August 28, 1996. We continued using these directives because they were still in\n    effect at the time of the audit announcement. DoD Directive 5010.38 was cancelled on April 3, 2006.\n    DoD Instruction 5010.40 was reissued on January 4, 2006 as \xe2\x80\x9cManagers\xe2\x80\x99 Internal Control (MIC)\n    Program Procedures.\xe2\x80\x9d\n\n\n\n                                                     2\n\n\x0cAdequacy of Management Controls. We found weaknesses in the DoD\nComponents\xe2\x80\x99 Management Control Programs for reporting PIA information in the\nDoD Information Technology Portfolio Repository and implementing privacy\nprograms. For specific results of those weaknesses, see the Findings section of\nthe report. The recommendations, if implemented, will correct the weaknesses.\nWe will provide a copy of the final report to the senior official responsible for\nmanagement controls at the DoD Components.\n\nAdequacy of Management\xe2\x80\x99s Self-Evaluation. Our review revealed weaknesses\nwith the Management Control Program for the Army, Navy, Air Force, Defense\nThreat Reduction Agency, and Washington Headquarters Service. With the\nexception of the Air Force, all Components reviewed conducted self-assessments\nof their Management Control Program. However, none conducted a review of\neither the privacy program or the PIA program. The Air Force had not conducted\nany self-assessments since FY 2004.\n\n\n\n\n                                    3\n\n\x0c                     A. DoD Privacy Program \n\n                     Operation of the current decentralized DoD Privacy Program is not\n                     effective because DoD Components did not ensure timely and uniform\n                     implementation of privacy program policy for reporting, collecting,\n                     safeguarding, maintaining, using, and disseminating personal information.\n                     Specifically, DoD Components did not consistently prepare system notices\n                     for systems of records, mark documents with mandatory Privacy Act\n                     statements, designate privacy officer responsibilities, or conduct privacy\n                     training. These conditions occurred because neither the DoD Privacy\n                     Office nor the DoD Components established oversight mechanisms and\n                     provided resources necessary for effective program execution. As a result,\n                     the personal information contained in DoD information systems could be\n                     vulnerable to access by unauthorized personnel, and/or for unauthorized\n                     purposes.\n\n\nPrivacy Act Program\n           DoD Components did not consistently implement privacy program policy for\n           reporting, collecting, safeguarding, maintaining, using, accessing, amending, and\n           disseminating personal information. Specifically, DoD Components did not\n           prepare system notices for systems of records, mark documents with mandatory\n           privacy statements, designate privacy officer responsibilities, or conduct privacy\n           training in a timely and uniform manner.\n\n           System Notices. DoD Regulation 5400.11, \xe2\x80\x9cPrivacy Program,\xe2\x80\x9d August 1983,\n           requires that DoD Components prepare system notices for systems of records\n           containing personal information retrieved by name or personal identifier, such as\n           an address, social security number, or telephone number. A system of records is a\n           group of records under the control of a DoD Component from which information\n           is retrieved by an individual\xe2\x80\x99s name or other personal identifier. DoD\n           Directive 5400.11, \xe2\x80\x9cDoD Privacy Program,\xe2\x80\x9d November 16, 2004, and DoD\n           Regulation 5400.11-R requires that DoD Components:\n\n                     \xe2\x80\xa2\t submit system notices to the DoD Privacy Office for review and\n                        submission to the Federal Register 2 for publication;\n                                                                    F   F\n\n\n\n\n                     \xe2\x80\xa2\t include a privacy statement on forms used to collect personal\n                        information and retained in a system of records by personal identifier;\n                        and\n\n\n\n\n2\n    Published by the Office of the Federal Register, National Archives and Records Administration, the\n    Federal Register is the official daily publication for rules, proposed rules, and notices of Federal agencies\n    and organizations, as well as executive orders and other presidential documents.\n\n\n\n                                                         4\n\n\x0c       \xe2\x80\xa2\t establish formal training programs for individuals involved in the\n          design, development, operation, and maintenance of any system of\n          records.\n\nImplementation of these requirements was inconsistent across DoD Components.\n\n         Army. Army Regulation 340-21, \xe2\x80\x9cThe Army Privacy Program,\xe2\x80\x9d July 5,\n1985, requires that privacy officials ensure system notices are properly described\nin a published notice in the Federal Registry for new systems or systems\nundergoing major changes. The July 1985 regulation had not been updated to\nreflect the 2004 DoD Directive requirement that systems managers submit system\nnotices through their Component\xe2\x80\x99s Privacy point of contact to the Defense\nPrivacy Office for publication in the Federal Registry. Of the three Army\nlocations visited, one location could not identify the system notices published in\nthe Federal Registry for their systems of records. The remaining two Army\nlocations provided a complete list of their systems of records and the\ncorresponding system notices.\n\n        Navy. SECNAV Instruction 5211.5E, \xe2\x80\x9cDepartment of the Navy Privacy\nProgram,\xe2\x80\x9d December 28, 2005, requires that privacy officers and system\nmanagers prepare system notices, submit notices to the Department of the Navy\nPrivacy Officer and DoD Privacy Office for review, and publish approved notices\nin the Federal Register before collecting or maintaining privacy-protected\ninformation. Of the three Navy locations visited, one was creating an inventory\nof systems of records to determine the number of system notices to prepare and\npublish for the identified systems. At two other Navy locations, the activity\xe2\x80\x99s\nprivacy officer, in consultation with system owners, had prepared system notices\nfor systems of records maintained.\n\n         Air Force. Air Force Instruction 33-332, \xe2\x80\x9cPrivacy Act Program,\xe2\x80\x9d\nJanuary 29, 2004, requires that system managers prepare and submit system\nnotices through their Major Command Privacy Officer to the Air Force\nCIO/Privacy Office. The Air Force CIO/Privacy Office then submits the system\nnotice to the Defense Privacy Office for publication in the Federal Register for\nnew and changed systems. The Instruction states that system notices are intended\nto inform the public of the types of records the Air Force maintains. The\nInstruction requires that the public have an opportunity to comment on the system\nnotice before system managers implement or make changes to the system. Of the\nthree Air Force locations visited, two locations could not identify system notices\nfor the systems of records under review. The third location provided a complete\nlist of their systems of records and the corresponding system notices, which had\nbeen published in the Federal Registry following review by the DoD Privacy\nOffice.\n\n        Defense Agencies. The Washington Headquarters Service, the TRICARE\nManagement Activity, and the Defense Threat Reduction Agency could identify\ntheir system of records and the corresponding system notices. Additionally, the\nthree DoD agencies updated system notices in the Federal Registry as required.\n\nPrivacy Act Statements. DoD Regulation 5400.11-R, \xe2\x80\x9cPrivacy Program,\xe2\x80\x9d\nAugust 1983, requires that DoD Components include Privacy Act statements on\n\n\n                                    5\n\n\x0cforms that collect personal information and maintain them in an associated system\nof records. DoD Regulation 5400.11-R also requires that DoD Components\nrevise or add Privacy Act statements to forms that non-DoD agencies issue\nwithout Privacy Act statements before using the form to collect personal\ninformation. At the military activities visited, administrative personnel\nmaintained numerous paper-based systems of records consisting of personnel\nforms with personal information. The forms, however, did not always contain a\nPrivacy Act statement as required or it was not prominently displayed.\nAdditionally for forms completed by supervisors or administrative personnel\nregarding other individuals, a required Privacy Act statement would enable these\nsupervisors or administrative personnel to make informed decisions regarding the\nnecessity of continued inclusion of selected personal information on these forms.\nFor example, we found Department of the Army Form 1256, \xe2\x80\x9cIncentive Award\nNomination and Approval,\xe2\x80\x9d without any evidence of a Privacy Act statement\nbeing provided on the form or as an attachment, despite inclusion of names and\nother personal identifiers. The three DoD agencies reviewed, however, did\nimplement policies or procedures to ensure the proper use of Privacy Act\nstatements.\n\nWe also found that the military activities used non-Component-generated forms\nthat did not include a Privacy Act statement before collecting the personally\nprotected information. For example, the Army, Navy and Air Force used\nnon-DoD Standard Form 50-B, \xe2\x80\x9cNotification of Personnel Action;\xe2\x80\x9d OMB Form\nNo. 3206-0160, \xe2\x80\x9cHealth Benefits Registration;\xe2\x80\x9d and Standard Form 2817, \xe2\x80\x9cLife\nInsurance Election Federal Employees Group Life Insurance Program.\xe2\x80\x9d See\nAppendix B for a list of the forms containing personal information, which we\nfound filed in a system of records, retrieved by personal identifier that did not\ncontain a required privacy statement.\n\nPrivacy Officer Responsibilities. The Army, Navy, and Air Force privacy\nguidance requires that activity privacy officers administer privacy programs and\nimplement Privacy Act requirements. We found that privacy officers at military\nactivities did not or could not always address Privacy Act requirements. In\naddition, not all privacy officers had received formal management-level privacy\ntraining. For example, the Staff Judge Advocate at one Navy location was\ndesignated as the Privacy Act Officer in July 2003 as an additional duty, but did\nnot begin complying with Privacy Act requirements for systems of records and\nsystem notices, privacy training, and Privacy Act Program assessments until\nApril 2006.\n\nAt one Air Force Command, the Acting Privacy Officer appointed in April 2006\nwas also designated as the Freedom of Information Act (FOIA) officer and was\nexpected to perform both duties while fulfilling other full-time work\nrequirements. This Acting Privacy Officer could not verify whether system\nowners had prepared systems notices for the Command\xe2\x80\x99s systems of records we\nreviewed. At another Air Force Command, the Privacy Officer position was\nfilled as an acting position for 2 years and the incumbent also fulfilled the\nresponsibilities of another regular full-time position. The Acting Privacy Officer\ncould not match the system notices to the IT systems of records we reviewed. In\nJune 2006, following completion of on-site audit fieldwork, the Command hired a\ndedicated privacy officer.\n\n\n                                     6\n\n\x0cAt one Army location, the Privacy Officer who was appointed in October 2004\nwas responsible for the FOIA program in addition to other full-time duties. The\nPrivacy Officer did not receive management-level Privacy Act training. At\nanother Army location, the appointment of a Command Privacy Officer was\npending, although we identified an official who was assigned privacy\nresponsibilities for a division within the Command. At the third Army location,\nthe Privacy Officer, appointed in July 2005, had not received any formal\nmanagement-level privacy training.\n\nThe three DoD agencies reviewed designated privacy officers to administer their\nprivacy programs. The Defense Threat Reduction Agency and TRICARE\nManagement Activity\xe2\x80\x99s Privacy Officers oversee dedicated staff members who\nadminister privacy requirements. The Washington Headquarters Service Privacy\nOfficer is responsible for all privacy requirements.\n\nPrivacy Training. Of 12 locations visited, 10 had not implemented a job-\nspecific privacy training program for employees and contractors directly involved\nwith protecting personally identifiable information or IT systems containing such\ninformation. The Privacy Act requires that agencies maintaining systems of\nrecords establish rules of conduct for individuals involved in the design,\ndevelopment, operation, or maintenance of systems of records. DoD Regulation\n5400.11-R establishes requirements for orientation, specialized, and management\ntraining for individuals involved with systems of records. Although the\nRegulation does not require all employees to be trained, such training would\nprovide individuals with a basic understanding of DoD privacy requirements as\nthey apply to the individual\xe2\x80\x99s job performance. The training would also provide\nmanagers of operational programs and activities with information on privacy\nimplications.\n\nBased on the information we received during interviews with privacy officials\nfrom the Military Departments and DoD agencies, we identified a lack of\nawareness of Privacy Act requirements. Additionally, the level of training varied\nby location. Of the 12 locations reviewed, privacy officials at 3 locations did not\nconduct training on privacy requirements and although privacy training was\nconducted at another 8 locations, the Privacy Officer did not document the\nrequirements of the program or identify the types of training required for all\nlevels of personnel including specialized and management training. The\nremaining location implemented and documented a privacy training program that\nincluded training for all levels of personnel.\n\n         Military Departments. The Departments of the Army and the Navy did\nnot require privacy training for all personnel. Additionally, Army\nRegulation 340-21 is void of any requirements for privacy training. In\nDecember 2005, for the first time, the Air Force required Air Force personnel to\ncomplete privacy training using an on-line portal. The Air Force, however, in\nApril 2006, rescinded the training requirement because the on-line portal could\nnot accommodate the volume of users taking the training. Further, some Air\nForce personnel did not have access to a computer to take the training and,\nfinally, the on-line curricula did not cover all elements that the Privacy Act\nrequires.\n\n\n\n                                     7\n\n\x0c            DoD Agencies. While the three DoD agencies that we reviewed\n    conducted and documented some form of privacy training, the frequency and\n    sophistication of the training varied. The Defense Threat Reduction Agency\n    implemented mandatory annual privacy awareness training in August 2003.\n    Privacy awareness training is also conducted at the Washington Headquarters\n    Service, and in August 2006, the Privacy Officer obtained approval to mandate\n    annual computer-based privacy training. Implementation of the training is\n    expected by August 2007. However, the Defense Threat Reduction Agency and\n    Washington Headquarters Service did not implement specialized and\n    management privacy training requirements for all employees requiring additional\n    privacy training. At the TRICARE Management Activity, privacy training is\n    required annually and specialized employees and managers also receive\n    additional training.\n\n            OMB Memorandum M-06-15, \xe2\x80\x9cSafeguarding Personal Identifiable\n    Information,\xe2\x80\x9d May 22, 2006, re-emphasizes the responsibilities for Federal\n    agencies under law and policy to safeguard personally identifiable information\n    and train employees on their responsibilities regarding personal information.\n    OMB Memorandum M-06-15 also requires that Federal agencies remind\n    employees of specific responsibilities for safeguarding personally identifiable\n    information within 30 days as well as the rules for acquiring and using protected\n    information as well as the penalties for violating Privacy Act rules.\n\n    DoD Components should treat privacy training as a priority and develop and\n    distribute appropriate privacy training material to all DoD personnel. The\n    Components should identify all employees and contactors involved with\n    protecting personally identifiable information, require that they complete annual\n    privacy awareness training, and document completion of that training. Lastly,\n    Components should require that personnel in sensitive, specialized, and\n    management positions receive privacy training appropriate for their positions of\n    trust. The Component should clearly specify the requirements for privacy\n    training at each level and document the completion of all training for each\n    individual trainee level.\n\n\nProgram Oversight and Resourcing\n    The Military Departments\xe2\x80\x99 privacy officers did not actively oversee the\n    Departments\xe2\x80\x99 privacy programs consistent with DoD Directive 5400.11\n    requirements, and many privacy officers performed dual roles, with privacy\n    responsibilities not given the higher priority.\n\n    The Army\xe2\x80\x99s Privacy Officer is responsible for ensuring that the Department of the\n    Army fulfills all Privacy Act requirements in addition to administering the Army\n    FOIA program and the Quality of Information Program. The Army privacy staff\n    consisted of one privacy specialist and one office chief with management\n    responsibilities for FOIA, privacy and the Quality of Information Program. The\n    privacy specialist position is currently vacant, and there is no plan to fill the\n    position.\n\n\n\n                                         8\n\n\x0c    Similarly, the Navy\xe2\x80\x99s Privacy Officer is responsible for developing and\n    implementing policy and provisions of the Privacy Act, developing a Navy-wide\n    privacy training program, and conducting privacy reviews. Additionally, the\n    Privacy Officer is the training oversight manager who is responsible for managing\n    notices for the Navy and joint Navy and Marine Corps Privacy Act systems,\n    chairs the Navy\xe2\x80\x99s Privacy Act Oversight Working Group, and coordinates all\n    Navy PIAs before submitting them to the Navy CIO with a staff of four\n    employees.\n\n    The Air Force Privacy Officer is responsible for providing guidance and\n    assistance to the Air Force Major Commands and field operating activities to\n    verify that information requirements developed to collect or maintain personal\n    data conform to privacy standards. In addition, the Privacy Officer with one other\n    person is responsible for the Air Force FOIA and PIA programs as well as the\n    Federal Register liaison.\n\n    The Defense Threat Reduction Agency, TRICARE Management Activity, and\n    Washington Headquarters Service each designated a privacy act officer and\n    issued privacy program guidance. The privacy officers, however, have additional\n    duties, such as FOIA and PIA, and do not always have the resources necessary to\n    fulfill their privacy duties.\n\n     Insufficient oversight compromises the safeguards for personal information\n    contained in DoD information systems and exposes personal information to\n    access by unauthorized personnel for unauthorized purposes. Requiring DoD\n    Components and activities to complete bi-annual certifications that Privacy Act\n    program requirements were implemented and are being followed by Components\n    may assist privacy officers in identifying resources needed for compliance in\n    managing more robust privacy programs.\n\n\nConclusion\n    Federal agencies have a special duty to protect personally identifiable\n    information. The increased focus on privacy following information losses at\n    numerous Federal agencies has resulted in OMB placing additional requirements\n    on already thinly resourced DoD privacy program staff, and the current\n    decentralized program cannot provide an effective response. DoD privacy\n    officials do not consistently implement safeguards and policies for protecting\n    personal privacy information as required by the Privacy Act, and Component\n    privacy officers do not oversee privacy programs within their Components. The\n    personal information contained in DoD systems could be vulnerable to access by\n    unauthorized personnel and individuals identified in systems of records\n    vulnerable to identify theft and fraudulent activities. Effective oversight and\n    administration of the DoD Privacy Act program is contingent on the allocation of\n    sufficient resources and establishment of internal control mechanisms to verify\n    accomplishments of the program\xe2\x80\x99s intent.\n\n\n\n\n                                        9\n\n\x0cManagement Comments on the Finding and Audit Response\n    DoD Senior Privacy Official Comments on Defense Privacy Office Oversight.\n    The report does not acknowledge that the Defense Privacy Office has a number of\n    mechanisms in place, similar to those used by the Office of Management and\n    Budget in its oversight role for Federal Privacy, which permits the Defense\n    Privacy Office to oversee the Component Privacy Programs. The Defense\n    Privacy Office has a dedicated technical channel with Component Privacy\n    officials that provides the Defense Privacy Office with information on\n    Components and permits Components to surface problems when encountered.\n    The Defense Privacy Office oversees Components by reviewing and approving\n    Privacy Act system of records notices, which shows how well Components are\n    complying with Privacy Act requirements. The Defense Privacy Office prepares\n    the Department\xe2\x80\x99s FISMA Privacy Report based, in part, on input provided by\n    DoD Components. In effect, Components are tasked to assess their programs.\n    The resulting input provides the Defense Privacy Office with an opportunity to\n    assess the current health of the Component\xe2\x80\x99s Privacy Program. The DoD\n    Inspector General and Component Inspectors General are a way to oversee\n    Components, a means that until now has not been used frequently.\n\n    Audit Response. We reviewed management comments and determined that\n    report revisions were not required. Current Defense Privacy Office and\n    Component oversight mechanisms failed to ensure that DoD consistently\n    implemented Privacy Program policy for reporting, collecting, using,\n    safeguarding, and maintaining personal information. Component Privacy offices\n    could not always document that system record notices had been prepared for\n    required systems; did not always consult with subordinate offices when preparing\n    Component FISMA responses forwarded to Defense Privacy Office; and did not\n    always conduct proactive oversight of subordinate Privacy offices. Periodic\n    reviews of the DoD Privacy Program by the DoD Inspector General and\n    Component Inspectors General are not a substitute for sound management\n    controls and oversight of the Privacy Program.\n\n    DoD Senior Privacy Official Comments on Privacy Act Statements. The\n    report identifies a number of forms that did not include a Privacy Act statement.\n    However, Standard Form 2817 and Standard Form 1199A do contain a Privacy\n    Act statement. For Form 2817, the Privacy Act statement is described at the top\n    of page 1. For Form 1199A, the Privacy Act statement is located on the back of\n    the Form under the heading \xe2\x80\x9cPlease Read This Carefully.\xe2\x80\x9d Finally, Standard\n    Form-50-B does not require a Privacy Act statement as information is not being\n    collected directly from the individual.\n\n    Audit Response. We reviewed management comments and determined that\n    report revisions were not required. Our review of Component system of records\n    containing completed Standard Form 2817 found the statement at the top of the\n    page; \xe2\x80\x9cSee Privacy Act statement on the back of part 3.\xe2\x80\x9d However, we found no\n    back page on the forms we reviewed. Likewise, when reviewing completed\n    1199A forms we did not find a back page. Requiring Privacy Act statements on\n    forms like Standard Form-50-B when information is provide by a trained third\n\n\n\n                                        10 \n\n\x0c    party would enable these trained third parties to make informed decisions on\n    whether to continue including selected personal information on these forms.\n\n    Department of the Navy Comments on the Finding. Although not required to\n    comment, the Department of the Navy CIO provided the following comments on\n    finding A. The Department of the Navy CIO concurs that SECNAV\n    Instruction 5211.5E should be updated to reflect changes in managing the Privacy\n    Program, policies, and practices. The Instruction is under review and will\n    incorporate recommendations from this audit report, as appropriate. The\n    Department of the Navy Privacy Act and FOIA offices acted to reduce the threat\n    to personally identifiable information and increase privacy awareness by updating\n    the Privacy web site, identifying systems of records on the web site, listing all\n    changes to systems on the Privacy web site, developing and posting Privacy\n    training materials on the Privacy web site, revising SECNAV\n    Instruction 5211.5E, forming Privacy working groups to address best practices\n    and policy, designating one full-time equivalent for IA to focus on PIAs and\n    coordinate activities with the Privacy Act and FOIA offices, and reviewing one-\n    third of the Department of the Navy\xe2\x80\x99s system inventory to ensure proper\n    reporting. In addition, the Department of the Navy Deputy CIO (Marine Corps) is\n    drafting policy for a PIA process, for personnel management on personally\n    identifiable information, and for reporting of loss or compromise of personally\n    identifiable information.\n\n    Audit Response. We reviewed the Department of the Navy comments and\n    acknowledge the progress made to improve operations within the Navy Privacy\n    Program.\n\n\nRecommendations, Management Comments, and Audit\n  Response\n    Revised Recommendations. We revised the recommendation to clarify our\n    position that the responsibility for addressing Finding A recommendations\n    resides with the Director of Administration and Management, Office of the\n    Secretary of Defense.\n\n    We recommend that the Director of Administration and Management, Office\n    of the Secretary of Defense:\n\n          a. Modify DoD Directive 5400.11, \xe2\x80\x9cDoD Privacy Program,\xe2\x80\x9d\n    November 16, 2004, to require the Secretaries of the Military Departments\n    and DoD Component heads to:\n\n                  (1) Provide bi-annual certifications that the requirements for\n    the Privacy Act training program, system of records, system notices, and\n    Privacy Act statements have been implemented and are being followed, and\n    forward the certificates to the Defense Privacy Office for review and\n    retention.\n\n\n\n\n                                       11 \n\n\x0cManagement Comments. The DoD Senior Privacy Official generally concurs\nwith the findings but not with the recommendations. The Defense Senior Privacy\nOfficial stated that the Components are now under an affirmative obligation to\nensure that the Program mandates are met. The Defense Senior Privacy Official\nalso stated that biannual certification requirements would not remedy the\nproblems identified in the report. The Component FISMA Privacy reporting is a\nmore effective tool for overseeing and reviewing Component compliance with\nprogram requirements.\n\nAudit Response. The DoD Senior Privacy Official\xe2\x80\x99s comments are not\nresponsive. The FISMA Privacy reporting is primarily agency level inquiries.\nComponent heads\xe2\x80\x99 FISMA reporting does not adequately reflect the condition of\nDoD Privacy operations because Component FISMA reports do not always\ninclude information from field Privacy offices. Privacy officers at all levels\nshould report and certify information on the operation of their Privacy programs.\nThe information should be submitted to the Component head who reviews and\nvalidates that information before certifying the Component submission to the\nDefense Senior Privacy Official. We request that the Defense Senior Privacy\nOfficial reconsider his position on the recommendation and provide additional\ncomments on the final report.\n\n              (2) Require that Privacy Act statements are included on any\nDoD and non-DoD form used to collect personally identifiable information\nregardless of who provides the information.\n\nManagement Comments. The DoD Senior Privacy Official generally concurs\nwith the findings but not with the recommendations. The Defense Privacy Office\nstated that the report points out that DoD Regulation 5400.11 requires forms,\nwhether DoD or not, to contain a Privacy Act statement if the information is being\ncollected directly from the individual and filed in a system of records. Neither the\nPrivacy Act nor the DoD guidance requires that a Privacy Act statement be\nprovided by a third party who is furnishing information about an individual.\n\nAudit Response. The DoD Senior Privacy Official\xe2\x80\x99s comments are not\nresponsive. We agree that neither the Privacy Act nor the DoD guidance require\na Privacy Act statement to be provided by a third party who is furnishing\ninformation about an individual. However, forms completed by supervisors,\nadministrative personnel, or other third parties regarding other individuals\npersonal information should require a Privacy Act Statement to properly and\npromptly alert those responsible individuals about the sensitivity of and the need\nto safeguard the personal data. Use of the Privacy Act Statement will enable\nthose individuals to make informed decisions and inquiries regarding the\nnecessity of continued inclusion of selected personal information on such forms.\nBecause personally identifiable information is provided by an external source or\nthird party does not negate the need to protect that data from unauthorized or\nimproper access. We request that the DoD Senior Privacy Official reconsider his\nposition on the recommendation and provide additional comments on the final\nreport.\n\n\n\n\n                                    12 \n\n\x0c              (3) Require that Privacy officers receive management Privacy\ntraining within 90 days of appointment and include the Privacy training\nrequirement in performance standards established for Privacy officials.\n\nManagement Comments. The DoD Senior Privacy Official generally concurs\nwith the findings but not with the recommendations. The Defense Privacy Office\nstated that DoD Regulation 5400.11 will be changed to incorporate training\nrequirements. However, the proposal of incorporating a Privacy training\nrequirement into the performance standards of Privacy officials will be evaluated\nas part of the DoD Privacy Program review.\n\nAudit Response. The DoD Senior Privacy Official\xe2\x80\x99s comments are partially\nresponsive. We disagree that further evaluation is necessary before incorporating\nPrivacy training requirements into the performance standards of Privacy officials.\nWe identified a Defense Agency that has incorporated Privacy training\nrequirements into every employee\xe2\x80\x99s annual performance standards. This\nrequirement clearly proved to be an effective way to ensure completion of Privacy\ntraining and promote increased Privacy awareness among the agency staff. We\nrequest that the Defense Senior Privacy Official reconsider his position on the\nrecommendation and provide additional comments on the final report.\n\n              (4) Require that individuals involved with implementing\nprivacy requirements and/or handling personal information receive\nappropriate specialized and management training as identified in DoD\nRegulation 5400.11-R, \xe2\x80\x9cPrivacy Program,\xe2\x80\x9d August 1983.\n\nManagement Comments. The DoD Senior Privacy Official generally concurs\nwith the findings but not with the recommendations. The Defense Privacy Office\nstated that the current DoD Regulation on Privacy includes guidance on such\ntraining. The revised Regulation, which is undergoing a final review, has been\nexpanded to provide additional guidance as well.\n\nAudit Response. The DoD Senior Privacy Official\xe2\x80\x99s comments are partially\nresponsive. The DoD Regulation 5400.11-R, \xe2\x80\x9cPrivacy Program,\xe2\x80\x9d August 1983,\noutlines the basis for non-mandatory specialized and management training.\nHowever, establishing mandatory specialized and management privacy training\nrequirements for DoD Components is crucial to ensure that individuals involved\nwith implementing Privacy requirements and/or handling personal information\nare fully aware of the importance and nature of their respective positions. We\nrequest that the Defense Senior Privacy Official reconsider his position on the\nrecommendation and provide additional comments on the final report.\n\n             (5) Require annual Privacy Act awareness training for all DoD\nemployees that includes a certification of completion.\n\nManagement Comments. The DoD Senior Privacy Official generally concurs\nwith the findings but not with the recommendations. The Defense Privacy Office\nstated that the new DoD Regulation on Privacy will state that Privacy awareness\ntraining will be offered and conducted. How often the training is conducted will\nbe at the discretion of the Components.\n\n\n\n                                    13 \n\n\x0cAudit Response. The DoD Senior Privacy Official\xe2\x80\x99s comments are not\nresponsive. We understand that it is the duty of the Component to train its\nindividuals on Privacy awareness. However, during our review, we discovered a\nlack of knowledge of Privacy Act requirements throughout DoD Component\nPrivacy offices. The Privacy training varied in sophistication and frequency and\nwas nonexistent at some locations. For example, one DoD agency established an\neffective Privacy program designed to ensure that all employees understood their\nrights to Privacy protection and responsibilities. However, at another DoD\nComponent office we found no Privacy training in place to ensure these same\nPrivacy rights and responsibilities. Privacy training should be given the same\nlevel of attentiveness as DoD annual ethics and security training requirements.\nWe request that the Defense Senior Privacy Official reconsider his position on the\nrecommendation and provide additional comments on the final report.\n\n       b. Assess the DoD privacy program for staffing levels and resources\nrequired to enable privacy officials to effectively fulfill their privacy duties\nand recommend resource reallocations to the Secretary of Defense,\nSecretaries of the Military Departments, and DoD Component Heads as\nnecessary to ensure a viable privacy program.\n\nManagement Comments. The DoD Senior Privacy Official generally concurs\nwith the Findings but not with the recommendations. The DoD Senior Privacy\nOfficial agrees that Component staffing levels and resources should be assessed\nwith a view of determining what can be done to enhance Program effectiveness.\nThe DoD Senior Privacy Official stated that the assessment will be conducted as\npart of the DoD Privacy Program review.\n\nAudit Response. Management comments are responsive. The DoD Senior\nPrivacy Official agrees on the necessity to assess the DoD Privacy program for\nstaffing levels and resources required and provided a review target completion\ndate of the fourth quarter, FY 2007. No further comments are required.\n\n      c. Modify DoD Directive 5400.11, \xe2\x80\x9cDoD Privacy Program,\xe2\x80\x9d\nNovember 16, 2004, to require that Component Privacy officers, in\ncoordination with the Component Chief Information Officers, support\npreparation of the certifications required in Recommendation a.\n\nManagement Comments. The DoD Senior Privacy Official generally concurs\nwith the Findings but not with the recommendations. The DoD Senior Privacy\nOfficial stated that CIOs do not have a direct role in the Privacy Program,\nalthough they do have a critical role to play regarding Privacy. In effect, the\nComponent Privacy Official relies on the Component CIO to develop the\nappropriate technical safeguards that will protect personally identifiable\ninformation in IT systems, thereby permitting the Component to comply with the\nPrivacy Act, and implementing DoD and the Component authority.\n\nAudit Response. Management comments are not responsive. The coordination\nbetween the Component Privacy officials and the CIOs is essential for the success\nof the Privacy Program. Establishing procedures to coordinate preparing,\nreviewing, and approving system record notices and establishing technical\nsafeguards will advance awareness and compliance with Privacy requirements\n\n\n                                    14 \n\n\x0cthroughout the DoD. We request that the DoD Senior Privacy Official reconsider\nhis position on the recommendation and provide additional comments on the final\nreport.\n\n              (1) Develop an authoritative inventory of Component systems\nof records containing personally identifiable information.\n\nManagement Comments. The DoD Senior Privacy Official generally concurs\nwith the Findings but not with the recommendations. The DoD Senior Privacy\nOfficial stated that the DoD Regulation 5400.11 requires the Defense Privacy\nOffice to maintain an authoritative inventory of systems of records notices. The\nDoD Senior Privacy Official stated that the inventory is posted in the Defense\nPrivacy Office website.\n\nAudit Response. Management comments are not responsive. System owners\ncould not always identify or substantiate that systems of records notices had been\nprepared for information technology systems and paper-based systems.\nAdditionally, while systems owners were aware of systems of records that\ncovered multiple systems, they could not always identify single systems covered\nby a blanket system of records notice. Component Privacy officers, in\ncoordination with the Component CIOs, should develop and maintain systems of\nrecords inventory for all Component-owned systems. We request that the DoD\nSenior Privacy Official reconsider his position on the recommendation and\nprovide additional comments on the final report.\n\n             (2) Prepare system notices for the inventory of systems of\nrecords maintained.\n\nManagement Comments. The DoD Senior Privacy Official generally concurs\nwith the Findings but not with the recommendations. The DoD Senior Privacy\nOfficial stated that CIOs do not have a direct role in the Privacy Program,\nalthough CIOs have a critical role to play regarding Privacy. The DoD Senior\nPrivacy Official stated that the DoD 5400.11 requires system managers to prepare\na system notice for any new, amended, or altered system and to forward that\nnotice to the Component Privacy Official for review.\n\nAudit Response. Management comments are not responsive. The\nrecommendation discusses the need for the Component Privacy officers and CIOs\nto coordinate a review of system notices that the system owner prepared. DoD\nComponent Privacy Officers could not always identify whether or not systems\nwere covered by a system of records notice. Privacy officer and CIO\ncoordination will benefit the system notice process by fostering increased\ncommunication and awareness. We request that the DoD Senior Privacy Official\nreconsider his position on the recommendation and provide additional comments\non the final report.\n\n              (3) Oversee subordinate privacy programs by conducting\nprivacy reviews and verifying that privacy training is conducted at all\nrequired levels.\n\n\n\n\n                                    15 \n\n\x0cManagement Comments. The DoD Senior Privacy Official generally concurs\nwith the Findings but not with the recommendations. The DoD Senior Privacy\nOfficial stated that Component Privacy Officials are currently required to provide\ninput for the FISMA Privacy Report, to review their Privacy Programs, to include\nassessing whether their training programs are ensuring that personnel are\ngenerally familiar with information Privacy laws, regulations, and policies and\nwhether appropriate job-related training is being offered.\n\nAudit Response. Management comments are not responsive. Component\nPrivacy offices did not perform proactive oversight of subordinate Privacy\nprograms; instead, efforts were focused on responding to subordinate office\ninquiries. The current DoD Directive 5400.11 does not direct Component Privacy\noffices to oversee subordinate Privacy programs. FISMA Privacy reporting is not\nan effective oversight tool for reasons stated in Recommendation a.(1), Audit\nResponse. We request that the DoD Senior Privacy Official reconsider his\nposition on the recommendation and provide additional comments on the final\nreport.\n\n\n\n\n                                    16 \n\n\x0c           B. Privacy Impact Assessments \n\n           DoD did not fully comply with the PIA requirements of the E-Government\n           Act of 2002, and a significant portion of the DoD CIO community did not\n           establish responsibilities for conducting, reviewing, approving, and\n           reporting PIAs or posting PIAs to public Web sites. DoD did not comply\n           with requirements of the Act because the ASD[NII]/DoD CIO and the\n           Component CIOs did not provide timely guidance for implementing a\n           DoD PIA program following enactment of legislation in December 2002.\n           Also, the DoD CIO community did not follow safeguards or establish\n           effective management oversight mechanisms to protect personally\n           identifiable information. As a result, DoD information systems may not\n           conform to DoD and Federal policies regarding privacy information and\n           their operation may not be designed to prevent the compromise and\n           misuse of the public\xe2\x80\x99s personally identifiable information.\n\n\nE-Government Act of 2002\n    The E-Government Act establishes protections for the privacy of personally\n    identifiable information as agencies implement an electronic Government that\n    focuses on citizens. Personally identifiable information is information that\n    directly identifies an individual, such as by name, address, social security number,\n    telephone number, gender, birth date, or e-mail address. To accomplish this, the\n    Act requires that Federal agencies conduct PIAs. A PIA addresses privacy factors\n    for new or significantly altered IT systems or projects that collect, maintain, or\n    disseminate personal information from or about members of the public. Once\n    complete, the Act requires that Federal agencies submit PIAs to OMB.\n\n    The E-Government Act also requires that OMB issue guidance to Federal\n    agencies specifying the required content of a PIA. In September 2003, OMB\n    issued OMB Memorandum 03-22 that implemented the privacy provisions of the\n    E-Government Act. The DoD Deputy CIO issued PIA guidance implementing\n    OMB Memorandum 03-22 for DoD Components 2 years later on October 28,\n    2005.\n\n    DoD did not fully comply with the PIA requirements of the E-Government Act.\n    Although the DoD PIA Guidance included additional responsibilities for the\n    review and coordination of a PIA at the Component level, the guidance partially\n    contradicted the requirements of the E-Government Act. Specifically, the DoD\n    PIA guidance requires that Component CIOs ensure that PIAs are properly\n    developed and reviewed, approved and publicly accessible, and forwarded to\n    OMB for IT systems and projects. The Act, however, requires that the Executive\n    Agency CIO (the ASD(NII) for DoD) review PIAs before they are made publicly\n    accessible. The DoD CIO delegation to the Component CIOs is inconsistent with\n    the intent of the Act in that it does not provide for a Departmental-level PIA\n    program. Further, the DoD CIO guidance does not specify the responsibilities of\n    the DoD CIO for reporting PIA information to the DoD Senior Privacy Official\n    for inclusion in the annual reporting to OMB. The diagram below depicts the\n\n\n\n                                        17 \n\n\x0cDoD decentralized process for conducting, reviewing, coordinating, and\napproving a PIA. A discussion of the process follows.\n\n\n\n                                     DoD PIA Process\n\n\n                                         E-Government Act of 2002\n                                            (requires Executive\n                                         Agencies to prepare PIAs)\n\n                       Office of Management and Budget (OMB)\n               (OMB requires PIA information for the FISMA Privacy report)\n\n  Approved\n   PIA*\n\n\n                                                                             Defense\n                   ASD(NII)/CIO                                          Privacy Officer\n                                           Advise & Assist\n                                           on privacy matters\n                                           impacting PIAs\n\n                      Approved \n\n                        PIA \n\n\n                                                                                          Reviewed\n                                      Component CIO                                         PIA\n                                   (Approves & Posts PIAs)\n\n\n              Component Privacy                    Component Information\n             Act Officer (reviews &              Assurance Officer (reviews &\n               coordinates PIA)                        coordinates PIA)\n\n\n                                   PIA                PIA\n\n                                      System Owner\n                                      (prepares PIA)\n\n* The E-Government Act requires that ASD(NII)/DoD CIO review PIAs and make them publicly\navailable if practicable, and provide the Director of OMB a copy of the PIA for each system for\nwhich funding is requested. The DoD CIO, however, delegated that authority and responsibility\nto Component CIOs.\n\n\n\n                                          18 \n\n\x0cPrivacy Impact Assessment Requirements \n\n    Components\xe2\x80\x99 CIOs did not establish responsibilities for conducting, reviewing,\n    approving, and reporting PIAs or posting PIAs to public Web sites. The DoD\n    PIA Guidance and OMB Memorandum 03-22 require that agencies conduct\n    reviews about the handling of an individuals\xe2\x80\x99 information within an agency when\n    agencies use IT for collecting new information, or when agencies develop or buy\n    new IT systems that will handle collections of personally identifiable information.\n    The DoD PIA Guidance and OMB Memorandum 03-22 also require that agencies\n    describe how they handle information individuals provide electronically to the\n    Government, so the public has assurance that the Government is protecting\n    personal information.\n\n    PIA Responsibilities. DoD PIA Guidance assigns responsibilities and\n    establishes a process for Component CIOs, privacy officers, and Information\n    Assurance (IA) officials to use when completing, reviewing, approving, and\n    posting PIAs. The Component privacy officer is responsible for reviewing and\n    coordinating PIAs to identify and evaluate privacy implications. The IA official\n    reviews and coordinates PIAs to assess compliance with DoD IA policies. As the\n    PIA reviewing official, the Component CIO verifies that system owners complete\n    PIAs and approves and submits the assessment to the DoD CIO and OMB, and\n    posts the PIA on the Component\xe2\x80\x99s public Web site.\n\n            Army. In January 2006, the Department of the Army CIO (Army CIO)\n    designated a department-level PIA official. The Army PIA official is responsible\n    for adhering to the requirements of the DoD PIA program. Army Regulation\n    340-21, \xe2\x80\x9cThe Army Privacy Program,\xe2\x80\x9d however, has not been updated in more\n    than 20 years, nor has supplemental Army guidance been provided for preparing\n    and reviewing PIAs. A PIA program did not exist at two of the three Army\n    locations visited. One system owner stated that he was not aware of the DoD PIA\n    Guidance. At another location, the Privacy Officer, in addition to reviewing a\n    PIA for privacy implications, also approved the PIA. None of the locations\n    assigned responsibility to an IA official to review PIAs for compliance with IA\n    policies.\n\n            In the absence of DoD guidance, the Army Corps of Engineers prepared a\n    PIA using the General Services Administration PIA template as a guide. System\n    owners completed the PIA before the DoD CIO issued the DoD PIA template in\n    October 2005. The approved Corps PIA was sent directly to OMB, but not to\n    either the Army or DoD CIO. Future Corps PIA development and submissions\n    should be consistent with OMB and DoD guidance.\n\n            Navy. The Department of the Navy CIO (Navy CIO) designated an\n    official responsible for the Navy\xe2\x80\x99s PIA program and stipulated that the Navy\n    official must meet the requirements of the DoD PIA program. However,\n    SECNAV Instruction 5211.5E did not include some of the PIA responsibilities in\n    the DoD PIA Guidance. Although SECNAV Instruction 5211.5E requires that\n    the Navy CIO provide guidance to Navy officials on PIAs and oversee policy and\n    procedures that will ensure system owners conduct PIAs, the Instruction does not\n    require that an IA official review PIAs for compliance with IA policies. The\n\n\n                                        19 \n\n\x0cNavy PIA official did not review, approve, or submit Navy PIAs to the DoD CIO\nor OMB because the Navy Components did not provide any PIAs for review.\n\n        We reviewed the implementation of the PIA program at three Navy\nlocations and found that none assigned PIA responsibilities as the DoD PIA\nGuidance requires. System owners at one location stated that they did not assign\nPIA responsibilities because they were not aware that requirements existed.\nSystem owners at another location stated that they did not prepare any PIAs or\nassign responsibilities for PIA requirements because they determined that their\nsystems do not require PIAs.\n\n        System owners at the third Navy location stated that they used the Navy\xe2\x80\x99s\nPIA template to prepare PIAs. System owners reviewed and submitted the PIA to\nthe Navy Privacy Officer on December 15, 2005, for review. However, the DoD\nand Navy CIOs did not receive the PIA. The system owner did not track the\nstatus of the PIA after submitting the assessment to the Navy Privacy Officer. In\naddition to not tracking the status, the system owners did not require that the IA\nofficial review the PIA before submitting the assessment to the Navy Privacy\nOfficer to determine compliance with IA policies. Further, SECNAV\nInstruction 5211.5E requires that the Navy CIO review and approve PIAs for the\nNavy, not the Navy Privacy Officer.\n\n        Air Force. Air Force Instruction 33-332 requires that system owners\nconduct PIAs. The Instruction requires that the Privacy Act office review the PIA\nand provide the assessment for final approval to both the major command and\nheadquarters functional CIO. Once reviewed at the subordinate level, the\nInstruction requires the submission of the PIA to the Department of the Air Force\nCIO. In the Air Force, the Privacy Act officer and PIA officer are one and the\nsame, and that official stated that Air Force Components did not submit PIAs to\nthe Air Force CIO, the DoD CIO, or OMB because Air Force Components were\nnot preparing PIAs. According to the Air Force Privacy/PIA Officer, system\nowners did not have any approved PIAs to submit for review as of August 2006.\n\n        We reviewed the PIA programs at three Air Force sites. None of those\nthree commands assigned PIA responsibilities that the DoD PIA Guidance\nrequires. System owners at two commands did not assign responsibilities or\nprepare a PIA because they were not aware of the requirements. As a result, the\ncommands did not designate a PIA official or conduct systems evaluations that\ncould determine whether their information systems require PIAs. A system\nowner at the third command is preparing the command\xe2\x80\x99s first PIA, which includes\nthe system owner completing the PIA, the Records Management/Privacy Officer\nreviewing the PIA, and the functional CIO approving the PIA. The PIA process\nand Air Force Instruction 33-332 do not require that the IA official review the\nPIA for compliance with DoD IA policies. Air Force officials stated that they are\nplanning to update Air Force Instruction 33-332 by December 2006. The updated\nInstruction will include the requirements of the DoD PIA program. The Air Force\nPrivacy/PIA Officer also stated that since the audit teams initial visit, the\nAir Force has begun assigning PIA responsibilities Air Force-wide.\n\n        DoD Agencies. We reviewed the PIA programs at three DoD agencies.\nOf the three agencies, the Defense Threat Reduction Agency did not assign PIA\n\n\n                                    20 \n\n\x0c    responsibilities in accordance with DoD PIA Guidance. That agency did not\n    establish any PIA roles and responsibilities for individuals who must be involved\n    in the PIA process. In the two remaining agencies, the TRICARE Management\n    Activity and the Washington Headquarters Service processes were in place to\n    determine whether their information systems require a PIA. Although that\n    process was in place, the Washington Headquarter Service did not complete any\n    PIAs or formally document the use of their process. The IA official, the Privacy\n    Office, and CIO at both the Washington Headquarters Service and the TRICARE\n    Management Activity were in place to review and coordinate PIAs during the\n    approval process, which met the requirements of the guidance.\n\n    Component CIOs must ensure adherence to DoD PIA Guidance and assign PIA\n    responsibilities within their agencies. Component CIOs should require that\n    system owners submit system evaluations for the proper review. The Component\n    CIOs should review system owner evaluations that include any determination that\n    an assessment was not required. Component CIOs should ensure that PIA policy\n    complies with the DoD PIA Guidance.\n\n    Posting PIAs to Public Web Sites. The guidance requires that each DoD\n    Component maintain a repository of PIAs and post PIAs to a central location on\n    the Component\xe2\x80\x99s public Web site. The PIA should remain posted until the\n    Component terminates the system or no longer maintains information in\n    identifiable form in the system. The DoD PIA Guidance also directs that the\n    ASD(NII) maintain a DoD Web site that enables public access to approved PIAs\n    or summary PIAs.\n\n    Although the ASD (NII)/DoD CIO Web site contains a PIA link, the link only\n    provides access to a PIA request box (and no list of PIAs). The CIOs for the\n    Army, Navy, and Air Force did not post approved PIAs to their Web sites because\n    the CIOs did not receive any completed PIAs. In addition, both the Defense\n    Threat Reduction Agency and the Washington Headquarters Service did not post\n    PIAs to their Web sites because those agencies did not complete one. The\n    TRICARE Management Agency posted a list of completed PIAs on its Web site.\n    The Web site contained a link for viewers to request a copy of the PIAs. Only\n    two Components, the Air Force and the TRICARE Management Activity,\n    included the E-Government Act requirement to post PIAs to the agency\xe2\x80\x99s\n    Web site in their guidance.\n\n    A DoD Component CIO must make PIAs available to the public and provide\n    necessary guidance for doing so to their Component. The ASD(NII)/DoD CIO\n    should have either posted any approved PIAs to their Web site or provided links\n    to Component web sites for accessing them. Additionally, the\n    ASD(NII)/DoD CIO should clarify the circumstances in which PIAs are to be\n    made available to the public.\n\n\nManagement Oversight\n    DoD Components did not fully comply with requirements of the E-Government\n    Act because ASD(NII)/DoD CIO and the Component CIOs did not provide timely\n\n\n                                        21 \n\n\x0cimplementing guidance for a DoD PIA program following enactment of\nlegislation in December 2002. Also, they did not implement safeguards or\nestablish effective management oversight mechanisms to protect personally\nidentifiable information by:\n\n       \xe2\x80\xa2\t thoroughly disseminating requirements for PIAs to DoD system\n          owners;\n\n       \xe2\x80\xa2\t updating guidance to assign necessary responsibilities to officials\n          reviewing, coordinating, approving, reporting, and posting PIA\n          information;\n\n       \xe2\x80\xa2\t requiring that PIA officials complete training required for evaluating,\n          completing, or submitting a PIA; and\n\n       \xe2\x80\xa2\t establishing effective internal control mechanisms to ensure\n          compliance with PIA requirements.\n\nCIO Oversight. The DoD PIA Guidance requires that the ASD(NII)/ DoD CIO\nserve as the DoD principal point of contact for any IT matters relating to PIAs.\nThe guidance requires that the CIO provide Department-wide guidance on how to\nconduct, review, and publish a PIA. Military Departments and heads of DoD\nComponents must establish policies and procedures that implement the guidance.\nDoD Components must also educate personnel on their responsibilities for\nprotecting personally identifiable information. The CIO did not, however, issue\nthe guidance until October 2005; two and one half years after the E-Government\nAct went into effect in April 2003. In addition, the DoD CIO and Component\nCIOs did not adequately oversee system owners who are required to conduct\nPIAs. As a result, systems owners at the Army, Navy, and Air Force stated that\nthey were not aware of the DoD PIA Guidance.\n\nActive oversight of the PIA process is important to guarantee that Component\nCIOs are implementing PIA programs and that system owners are conducting\nPIAs on required systems. Component CIOs should be overseeing the PIA\nprogram to determine that system owners secure, protect, and preserve the\nconfidentiality of the information in identifiable form.\n\nDoD PIA Guidance. The DoD PIA Guidance requires that DoD Components\ncomplete a PIA when developing or procuring an IT system or project that\ncollects, maintains, or disseminates information in identifiable form on members\nof the public. The Guidance, however, does not require that DoD Components\nconduct a PIA on DoD information systems that collect and maintain personally\nidentifiable information on DoD personnel. Although the PIA requirements of\nthe E-Government Act permit exclusion of DoD personnel, privacy implications\nshould be considered for any information system that collects personally\nidentifiable information. OMB Memorandum 06-20, \xe2\x80\x9cFY 2006 Reporting\nInstructions for the Federal Information Security Management Act and Agency\nPrivacy Management,\xe2\x80\x9d July 17, 2006, states that OMB encourages agencies to\nscrutinize their internal business processes for handling identifiable information\nabout employees to the same extent they scrutinize processes and information\nhandling procedures involving information collected from or about members of\n\n\n                                    22 \n\n\x0cthe public, despite section 208 of the E-Government Act and OMB\nMemorandum 03-22 stating otherwise. By conducting PIAs on IT systems that\ncollect information on DoD personnel, in addition to the public, individuals\nwithin DoD can be assured that their personally identifiable information is as\nsecure as that of the general public.\n\nComponent CIOs did not disseminate DoD PIA Guidance throughout all levels of\ntheir Components. Of the 12 locations visited, 5 were not familiar with or had\nnever received the DoD PIA Guidance before the audit. Of the five,\nfour locations did not complete any PIAs and assign PIA responsibilities. The\nfifth location completed PIAs but the process used for reviewing, coordinating,\nand approving a PIA did not meet DoD requirements.\n\nDoD Component PIA Guidance. DoD PIA Guidance requires that the Military\nDepartments and heads of DoD Components establish policies and procedures\nthat implement the DoD PIA Guidance and are consistent with OMB\nMemorandum 03-22.\n\nHowever, Army Regulation 340-21 did not include any PIA requirements because\nthe Regulation was more than 20 years old. An Army official stated that an\nupdate to the Regulation is in draft. During our review, the Army CIO was\ndeveloping draft PIA guidance. SECNAV Instruction 5211.5E included some\nPIA requirements, but the Instruction did not include a requirement that an IA\nofficial review and coordinate PIA for compliance with DoD IA policy. The\nInstruction also did not require that the Component CIO post approved PIAs to\ntheir public Web site. On June 16, 2006, however, the Navy did issue PIA\nguidance, which requires Navy activities to perform PIAs on any new or\nsignificantly altered IT systems that collects information in identifiable form on\nNavy military and civilian personnel and members of the public. Although\napproved on January 29, 2004, Air Force Instruction 33-332 did not meet the\nrequirements of the DoD PIA Guidance because it did not require that the\nIA official review the PIA for IA implications or designate the Air Force Privacy\nOfficial as the PIA reviewing official at the Air Force CIO. The Instruction also\ndid not require that system owners send completed PIAs to the DoD CIO and\nOMB. One Air Force official stated that the Instruction will be updated by\nDecember 2006.\n\nThe Washington Headquarters Service and the Defense Threat Reduction Agency\ndid not develop any PIA guidance, but the TRICARE Management Activity did.\nThe TRICARE Management Activity developed the \xe2\x80\x9cTRICARE Management\nActivity Privacy Impact Assessments (PIAs),\xe2\x80\x9d February 10, 2006. The\nTRICARE guidance outlines responsibilities of officials, responsibilities for the\nPIA process, and instructions on how to manage completed PIAs.\n\nPIA Training. Although DoD does not require PIA training, the DoD Deputy\nCIO memorandum of October 28, 2005, requires the Secretaries of the Military\nDepartments and the heads of other DoD Components to \xe2\x80\x9ceducate employees and\ncontractors on their responsibilities for protecting information in identifiable form\nthat is being collected, maintained, and disseminated by IT systems.\xe2\x80\x9d Specific\nPIA training should be required at all levels. PIA training would enable\nindividuals to understand when a PIA is required, the correct reporting structure\n\n\n                                     23 \n\n\x0c    for processing a PIA, and systems requiring a PIA are properly reviewed to verify\n    safeguards are in place that limit the risk that personal information will be\n    compromised or lost. Of the 12 locations reviewed, the TRICARE Management\n    Activity was the only DoD Component that had a formal PIA training program\n    and the TRICARE Management Activity system owners were the most\n    knowledgeable about the requirements for evaluating IT systems in relation to\n    PIAs.\n\n    The implementation of PIA guidance and training is essential to protect personal\n    information in information technology systems. The failure to implement PIA\n    requirements could result in unauthorized disclosure of personal information\n    causing significant harm to members of the public.\n\n\nConclusion\n    DoD information systems may not conform to DoD and Federal policies\n    regarding privacy information, and DoD Components may be operating\n    information systems that do not provide safeguards to prevent the compromise\n    and misuse of the public\xe2\x80\x99s personally identifiable information. The Components\n    should identify the CIOs as the officials responsible for PIAs. The CIO must\n    disseminate the DoD PIA Guidance throughout the Components to ensure that\n    Components complete PIAs, establish a process for reviewing and approving\n    PIAs before forwarding the PIA to the ASD(NII)/DoD CIO and OMB; and post\n    the PIA on the public Web site. ASD(NII)/DoD CIO, the Military Departments,\n    and DoD Components need to develop additional, clarifying PIA guidance and\n    oversee the implementation of the new and current guidance to ensure that the\n    Component CIOs are implementing an effective PIA program. PIA training must\n    be developed and provided to any individual involved in the PIA process to\n    ensure that the requirements of the program are being met.\n\n\nRecommendations, Management Comments, and Audit\n  Response\n    B.1. We recommend that the Assistant Secretary of Defense for Networks\n    and Information Integration/DoD Chief Information Officer, in coordination\n    with the Director of Administration and Management, Office of the\n    Secretary of Defense/DoD Senior Privacy Official:\n\n              a. Determine the most appropriate management structure for\n    overseeing a Department-level privacy and Privacy Impact Assessment\n    program in accordance with the requirements of the E-Government Act of\n    2002 and Office of Management and Budget Memorandum 03-22, \xe2\x80\x9cOMB\n    Guidance for Implementing the Privacy Provisions of the E-Government Act\n    of 2002,\xe2\x80\x9d September 26, 2003, and subsequent Office of Management and\n    Budget guidance for Privacy Impact Assessments and protection of\n    personally identifiable information.\n\n\n\n                                       24 \n\n\x0cManagement Comments. The ASD(NII)/DoD CIO concurred with this\nrecommendation. Management reviewed the current management structure and\ndetermined that a decision to keep the current management structure appears to be\nmost appropriate. The ASD(NII)/DoD CIO and the Office of the Director of\nAdministration and Management work closely on protecting personally\nidentifiable information and PIAs.\n\nAudit Response. ASD(NII)/DoD CIO comments were partially responsive to the\nrecommendation. We acknowledge the corrective actions taken by management\nto address deficiencies identified during this audit. Effective management of\nPrivacy and PIAs is dependent on consistent coordination between the two\noffices. We request that both the ASD(NII)/DoD CIO and the Director of\nAdministration and Management validate and approve the state of the current\nmanagement structure for overseeing Privacy and PIAs in DoD.\n\n          b. Revise the charters of the Assistant Secretary of Defense for\nNetworks and Information Integration/DoD Chief Information Officer and\nthe Director of Administration and Management, Office of the Secretary of\nDefense/DoD Senior Privacy Official to reflect the conclusions reached under\nrecommendation B.1.a.\n\nManagement Comments. The ASD(NII)/DoD CIO did not respond to the\nrecommendation stating that this recommendation did not apply based on their\ncomments on Recommendation B.1.a. The ASD(NII)/DoD CIO stated that\ncurrent missions as recorded in DoD policies and regulations are appropriate.\n\nAudit Response. The ASD(NII)/DoD CIO did not comment on this\nrecommendation because they concluded a revision was not required to the\ncurrent management structure. Based on our response to management comments\nto Recommendation B.1.a., we request that the ASD (NII) DoD CIO provide\nadditional comments on the final report.\n\n          c. Revise Assistant Secretary of Defense for Networks and\nInformation Integration/DoD Chief Information Officer Memorandum,\n\xe2\x80\x9cDepartment of Defense (DoD) Privacy Impact Assessment (PIA) Guidance,\xe2\x80\x9d\nOctober 28, 2005, to reflect actions taken in accordance with\nRecommendations B.1.a. and B.1.b. and to:\n\n              (1) Require that implementing guidance for the DoD\nComponents\xe2\x80\x99 revised memorandum be reviewed and approved by the\nAssistant Secretary of Defense for Networks and Information\nIntegration/DoD Chief Information Officer and issued within 60 days of\npublication of the revised Assistant Secretary of Defense for Networks and\nInformation Integration/DoD Chief Information Officer memorandum;\n\nManagement Comments. ASD(NII)/DoD CIO concurred with this\nrecommendation. However, management recommends 120 days to issue the\nimplementing guidance as opposed to 60 days.\n\n\n\n\n                                   25 \n\n\x0cAudit Response. ASD(NII)/DoD CIO comments were responsive to the\nrecommendation. We concur with management\xe2\x80\x99s comments and the request for\n120 days to issue the implementing guidance. No further comments are required.\n\n              (2) Require that all DoD Components forward PIAs to the\nAssistant Secretary of Defense for Networks and Information\nIntegration/DoD Chief Information Officer for review and approval;\n\nManagement Comments. The ASD(NII)/DoD CIO partially concurred with the\nrecommendation, stating that Components will be required to submit their PIAs\nafter they are approved at the Component level. DoD PIA guidance is expected to\nbe updated by fourth quarter FY07 and will include this recommendation.\n\nAudit Response. Although management partially concurred with the\nrecommendation, their comments are responsive to the recommendation. We\ndiscussed this recommendation with ASD(NII)/DoD CIO, and we agree that\nmanagement should review PIAs for completion after PIAs have been reviewed\nand approved at the Component level. No additional comments are required.\n\n             (3) Require that the Assistant Secretary of Defense for\nNetworks and Information Integration/DoD Chief Information Officer,\nrather than Component Chief Information Officers be responsible for\nsubmitting approved Privacy Impact Assessments to the Office of\nManagement and Budget;\n\nManagement Comments. The ASD(NII)/DoD CIO concurred with the\nrecommendation. The revised DoD PIA guidance will incorporate this\nrequirement.\n\nAudit Response. The ASD(NII)/DoD CIO comments are responsive to the\nrecommendation; therefore, no further comments are required.\n\n               (4) Require that all personally identifiable data for DoD\nemployees be afforded the same level of assessment and protection provided\nto data for the general public;\n\nManagement Comments. Management concurred with the recommendation.\nASD(NII)/DoD CIO will incorporate the recommendation into the revised PIA\nguidance.\n\nAudit Response. The ASD(NII)/DoD CIO comments are responsive to the\nrecommendation. We concur with management\xe2\x80\x99s comments with the\nunderstanding that revised PIA guidance will require PIAs for all systems that\ncontain personally identifiable information on DoD employees and members of\nthe public. No further comments are required.\n\n              (5) Clarify how the Privacy Impact Assessment request link on\nthe Web site of the Assistant Secretary of Defense for Networks and\nInformation Integration/DoD Chief Information Officer is responsive to the\nrequirement of the E-Government Act to make Privacy Impact Assessments\npublicly available; and\n\n\n                                   26 \n\n\x0cManagement Comments. The ASD(NII)/DoD CIO concurred with the\nrecommendation. The ASD(NII)/DoD CIO PIA website will display a link to\neach Component\xe2\x80\x99s PIA website that lists all PIAs after the DoD PIA guidance is\nrevised in the fourth quarter of FY 07.\n\nAudit Response. The ASD(NII)/DoD CIO comments were responsive to the\nrecommendation; therefore, no further comments are required.\n\n            (6) Specify the target audience and nature of training that DoD\nComponents are required to provide for Privacy Impact Assessments.\n\nManagement Comments. Management concurred with the recommendation.\nASD(NII)/DoD CIO annually briefs the DoD resource managers on the PIA\nrequirements for the major IT systems reported in the Exhibit 300s. By July 31,\n2007, management will have reviewed the curriculums at the Defense Acquisition\nUniversity and Information Resources Management College to determine whether\nPIA information is captured in their courses. Also by July 31, 2007, PIA training\ncontent will be added to the Defense Information Systems Agency Information\nAssurance training program and distributed DoD-wide.\n\nAudit Response. ASD(NII)/DoD CIO comments were responsive to the\nrecommendation; therefore, no further comments are required.\n\nB.2. We recommend that the Assistant Secretary of Defense for Networks\nand Information Integration/DoD Chief Information Officer require that\nDoD Component CIOs:\n\n       a. Disseminate Office of Management and Budget Memorandum 03-\n22 and Assistant Secretary of Defense for Networks and Information\nIntegration/DoD Chief Information Officer October 28, 2005, Privacy\nImpact Assessment guidance to all Component information technology\nsystem owners to assist them in conducting required Privacy Impact\nAssessments, pending receipt of revised DoD and DoD Component guidance;\n\nManagement Comments. The ASD(NII)/DoD CIO concurred with the\nrecommendation. The estimated completion date for this task is May 31, 2007.\n\nAudit Response. The ASD(NII)/DoD CIO comments were responsive to the\nrecommendation; therefore, no further comments are required.\n\n       b. Advise subordinate Component Chief Information Officers and\nprivacy officers that personally identifiable data for DoD employees should\nbe afforded the same level of assessment and protection offered to similar\ndata from the general public.\n\nManagement Comments. Management concurred with the recommendation.\nThe revised DoD PIA guidance will incorporate this recommendation.\n\nAudit Response. The ASD(NII)/DoD CIO comments are responsive. We concur\nthat this action will be completed after the DoD PIA guidance is revised in the\nfourth quarter of FY 07. No further comments are required.\n\n\n                                   27 \n\n\x0c            C. \tReporting in the DoD Information\n                Technology Portfolio Repository\n            DoD Components did not accurately report system status information in\n            DITPR. This condition occurred because the ASD(NII)/DoD CIO and the\n            Components did not have effective internal controls in place to validate\n            the accuracy of the system status information posted in the various DITPR\n            data elements. As a result, the DoD, OMB, and the Congress are making\n            management and budgetary decisions based on unreliable reports\n            generated from DITPR, the sole DoD-wide data repository for system\n            information on the status of DoD information systems.\n\n\nDoD Information Technology Portfolio Repository Guidance\n    The DoD CIO Memorandum, \xe2\x80\x9cDepartment of Defense (DoD) Information\n    Technology (IT) Portfolio Repository (DITPR) and DoD SIPRNet IT Registry\n    Annual Guidance for 2006,\xe2\x80\x9d May 17, 2006 (DITPR Guidance), states that DITPR\n    is the DoD\xe2\x80\x99s authoritative unclassified inventory of IT systems. DITPR is the\n    repository for system information used to meet a wide variety of internal and\n    external reporting requirements. For example, regularly scheduled reports driven\n    by legislative or regulatory mandates using data from throughout DoD, annual\n    reports required by other Federal departments, and ad hoc reports using a subset\n    of data available in DITPR. DITPR is the DoD data source for, among other\n    things, required reporting on system certification, FISMA, E-Authentication, PIA,\n    and the Privacy Act, as well as the inventory of systems required by the Clinger\n    Cohen Act and for Portfolio Management. DITPR requires that system owners\n    answer \xe2\x80\x9ctrigger\xe2\x80\x9d questions that determine whether certain data elements apply to\n    their system. When a system owner answers yes to a trigger question, DITPR\n    requires additional information. For instance, to determine whether system\n    owners should enter PIA and Privacy Act information into DITPR, the system\n    owner would answer yes to the question, \xe2\x80\x9cDoes this system contain personally\n    identifiable information?\xe2\x80\x9d If the questions do not apply, DITPR requires that\n    system owners provide an explanation. However, the database does not have\n    automatic controls to preclude incorrect reporting, such as failure to respond to a\n    trigger question.\n\n\nReporting\n    DoD Components did not accurately report information in DITPR. The DITPR\n    Guidance reiterates the requirements of the E-Government Act by requiring that\n    system owners conduct PIAs for any new or significantly altered IT system that\n    collects, maintains, or disseminates information in identifiable form from or about\n    members of the public. ASD(NII)/DoD CIO required for the first time that\n    system owners complete PIA data elements in DITPR by March 1, 2006, and\n    Privacy Act data elements by July 1, 2006. Additionally, OMB\n    Memorandum 06-20 of July 17, 2006, requires that agencies immediately provide\n\n\n                                        28 \n\n\x0cquarterly updates on privacy program metrics to OMB to support the President\xe2\x80\x99s\nManagement Agenda scorecard.\n\nSystems Reviewed. System owners for 7 of the 18 systems (39 percent) stated\nthat the PIA information in DITPR was not correct. In addition, an IA manager\nfor four Navy systems stated that she did not know if the information in DITPR\nwas correct because she did not assess the systems to determine whether they\ncontained personally identifiable information. However, based on the information\nin the briefings of the systems provided to us by the system owners, we\ndetermined that data for 10 of the 18 systems (56 percent) was incorrect. Many of\nthe system owners stated that they were confused when reporting PIA information\nin DITPR because system owners were not familiar with PIA requirements and\ntherefore could not determine if a PIA was required. See Appendix C for the\n18 systems reviewed and those not correctly reported in DITPR.\n\n       Army. We reviewed three Army IT systems that were reported in DITPR\nas requiring a PIA. The system owners of two systems, however, subsequently\ndetermined that their DITPR entry was not correct. The system owners stated that\nDITPR should report that no PIA is required for the two systems because they did\nnot contain public information in identifiable form; however, we determined that\none system contained personally identifiable information on members of the\npublic. According to the system owner, the system contained loan information\nfor family members or associates of DoD personnel. The loan information\ngathered on family members and associates includes names and addresses. In\naddition, the system is undergoing a major modification, which creates a new\nprivacy risk. Therefore, systems owners should have conducted a PIA on the\nsystem and reported in DITPR that the system required a PIA.\n\n       The system owner for the third system stated that the location completed a\nPIA and correctly reported in DITPR that a PIA was required. Based on\ndiscussions with the system owners for the three Army systems reviewed, we\ndetermined that the DITPR reporting for one of the three systems was not correct.\n\n        Navy. We reviewed six Navy IT systems. A system owner for\none system completed a PIA and correctly reported in DITPR that a PIA was\nrequired. Another system owner reported in DITPR that a PIA was required\nbecause the system contained privacy protected information. However, the\nsystem had existed for several years and was not undergoing any additional\ndevelopment. Therefore, the system did not meet the requirement of \xe2\x80\x9cnew or\nsignificantly altered\xe2\x80\x9d system requiring a PIA. DITPR did not identify the caveat.\nAccordingly, the system owner should not have listed in DITPR that the system\nrequired a PIA.\n\n       System owners for the remaining four systems reported in DITPR that a\nPIA was not required for three systems and was required for the fourth system.\nHowever, the system owners stated that they did not assess the systems to\ndetermine whether a PIA was required because they were not familiar with the\nPIA requirements. In June 2006, the Navy issued PIA guidance that requires\nsystems with personally identifiable information on public and DoD personnel to\nconduct a PIA. Based on the new guidance, we determined that all four systems\nrequired a PIA because the systems contained personally identifiable information.\n\n\n                                    29 \n\n\x0cIn addition, the IA manager stated that the systems met the PIA requirements\nbecause the systems were constantly being modified. Based on discussions with\nthe system owners for the six Navy systems reviewed, we determined that the\nDITPR reporting for four of the six systems was not correct.\n\n        Air Force. We reviewed six Air Force IT systems. The DITPR reported\nthat four of the six systems required a PIA. System owners for three of the six\nsystems stated that DITPR was not correct when reporting that a PIA was\nrequired for those three systems. The system owner for the fourth system\nprepared a draft PIA and reported in DITPR that a PIA was required. System\nowners for the remaining two systems reported in DITPR that a PIA is not\nrequired; however, one of the two systems met the criteria for requiring a PIA and\ncontained personally identifiable information. The system required a PIA because\nit was initiating a new electronic collection of information in identifiable form for\nthe public. Also, the system contained the names, social security numbers, and\naddresses for family members of DoD personnel and contractors. Based on\ndiscussions with the system owners for the six Air Force systems reviewed, we\ndetermined that the DITPR reporting for four of the six systems was not correct.\n\n       Additionally, at one Air Force location visited, two officials in charge of\nupdating DITPR stated that they did not know who reported in DITPR that a PIA\nwas required for their system and did not recall seeing the PIA question before.\nThe two officials also stated that they were not familiar with a PIA or the PIA\nrequirements.\n\n        DoD Agencies. We reviewed three DoD agencies\xe2\x80\x99 IT systems. One DoD\nagency official stated that when DoD issued PIA Guidance, there was confusion\nabout which systems required a PIA. System owners for two of the three systems\nreported in the DITPR that the system required a PIA. However, the system\nowner for one of the two systems subsequently determined that the entry in\nDITPR, which identified that a PIA was required, was not correct. The official\nstated that the reason the system did not require a PIA was because the system is a\nNational Security System and exempt from conducting a PIA. The system owner\nfor the third system stated that the information in DITPR was correct, which\nstated that a PIA was not required. Based on discussions with the system owners\nfor the three Defense agency systems reviewed, we determined that the DITPR\nreporting for one of the three systems was not correct.\n\nDoD Component system owners should consult DoD PIA or Component\nimplementing guidance when performing a PIA for systems containing personally\nidentifiable information. Component PIA officials should ensure that all levels\nwithin their Component are aware of the DoD PIA and the Component\xe2\x80\x99s\nimplementing guidance. System owners also need to verify that PIA information\nreported in DITPR is accurate, and Component PIA and privacy officials need to\nestablish effective internal controls to verify reporting accuracy to provide OMB\nand Congress with an accurate reporting on the status of DoD information\nsystems.\n\nPIA Information in DITPR. The DITPR reporting on whether systems required\na PIA fluctuated greatly. On February 13, 2006, DITPR identified that 188 DoD\nsystems required a PIA; on August 3, 2006, 299 systems required a PIA; and on\n\n\n                                     30 \n\n\x0c     September 5, 2006, DITPR reported that 198 systems required a PIA. As of\n     September 8, 2006, DoD Components did not report in DITPR whether a PIA was\n     required for 1,367 systems, which included 1,185 Army systems, 91 Navy\n     systems, and 27 Air Force systems. ASD(NII)/DoD CIO officials stated that the\n     information in DITPR variedly greatly because DITPR was implemented in\n     phases.\n\n             Submitting PIAs. On February 14, 2006, the DoD PIA official stated that\n     the DoD Components submitted only 19 approved PIAs to the DoD PIA office.\n     On August 29, 2006, we asked whether the Components submitted additional\n     PIAs to the DoD PIA office since February 2006. The Director of the office\n     responsible for the DoD PIA Program stated that the job position designated to\n     collect and post PIAs to the ASD(NII)/DoD CIO Web site was vacant. The DoD\n     PIA official who was in place in February left in May and has not been replaced.\n     The Director did not know how many additional PIAs the DoD Components\n     submitted to the DoD PIA office. However, the DoD Components reported in\n     DITPR, as of September 5, 2006, that they submitted 36 PIAs to OMB.\n\n\nValidation of Information\n     Naval Postgraduate School Reporting. During interviews with the system\n     owners for the 18 systems reviewed, we identified that other security data\n     elements for 4 of the 18 systems in DITPR were not correct. The DITPR\n     Guidance requires that system owners report whether a system requires\n     certification and accreditation. A \xe2\x80\x9cyes\xe2\x80\x9d response to the question requires that the\n     system owner complete the FISMA information in DITPR. The system owner\n     must identify, as part of those questions, the accreditation method used for\n     certifying and accrediting the system. The method could include the DoD\n     Information Technology Security Certification and Accreditation Process, the\n     DoD Information Assurance Certification and Accreditation Process, or the\n     process used for intelligence systems.\n             System owners at the Naval Postgraduate School reported in DITPR that\n     four systems had been certified and accredited when they were not. According to\n     the IA manager, three of the four systems had been operational for 5 years, and\n     the fourth system for 2 years. The IA manager stated that the systems were not\n     certified and accredited because the certification and accreditation process was\n     \xe2\x80\x9ctoo expensive and takes too long.\xe2\x80\x9d The following are the four systems operating\n     with no certification or accreditation:\n\n            \xe2\x80\xa2   Departmental Online Reporting System;\n\n            \xe2\x80\xa2   Electronic Time and Attendance Certification System;\n\n            \xe2\x80\xa2   Management Information System; and the\n\n            \xe2\x80\xa2   Python Education Management System.\n\n\n\n\n                                         31 \n\n\x0c       Before we left the audit site, the IA manager provided memorandums,\nsigned by the Designating Approving Authority, granting the four systems an\ninterim authority to operate on May 10, 2006. The IA manager stated that the\nlength of time the systems had been in operation and the Designated Approving\nAuthority\xe2\x80\x99s familiarity with the four systems made granting the interim authority\nto operate appropriate. According to the IA manager, the interim authorities to\noperate were not based on security documentation or testing required for the\nsystem but on the Designated Approving Authority\xe2\x80\x99s knowledge of the system\xe2\x80\x99s\nperformance.\n\n        The IA manager stated that the System Security Authorization\nAgreement\xe2\x80\x94which documents the actions, decisions, security requirements, and\nthe level of effort needed to certify and accredit any information system\xe2\x80\x94will be\nprepared by the end of May 2007. The IA manager stated that once the System\nSecurity Authorization Agreements are complete, the Designated Approving\nAuthority would grant the four systems an authority to operate.\n\n        As of June 2006, the Naval Postgraduate School reported in DITPR that\nthree systems were accredited on May 10, 2006 and one system on May 31, 2006,\nin accordance with the DoD Information Technology Security Certification and\nAccreditation Process, and granted an authority to operate. DITPR also reported\nthat accreditation would expire on May 10, 2009 and May 31, 2009, respectively.\nDITPR should report that the four systems have no authority to operate and that\nthe accreditation vehicle element in DITPR did not apply because none was used.\n\n        The IA manager\xe2\x80\x99s methodology for granting a system approval to operate\nwithout being certified and accredited is flawed. DoD policy requires that a\nspecific process be followed prior to granting a system authority to operate. One\ncannot base the decision to certify and accredit on the length of time a system has\nbeen in operation or whether the Designated Approving Authority is familiar with\nthe system when granting the interim authority to operate.\n\n        Until the IA manager prepares the required documentation and\nappropriately tests the IA controls identified for the Departmental Online\nReporting System, the Electronic Time and Attendance Certification System, the\nManagement Information System, and the Python Education Management\nSystem, the Naval Postgraduate School should report to the Navy CIO and the\nDoD CIO that the systems are not certified and accredited. The IA manager\nshould immediately certify and accredit the systems in accordance with DoD\npolicy and develop a plan of action and milestones for how and when the\ncertification and accreditation will be completed. Additionally, the Designated\nApproving Authority should not grant any authority to operate until the Certifying\nAuthority certifies the system to operate in an environment that warrants an\nacceptable risk that the system\xe2\x80\x99s information is protected to the highest level\nrequired.\n\nValidation of DITPR Information. Component CIOs did not validate the\nsystem information reported in DITPR. The DITPR guidance states that the\nComponents and Component CIO are responsible for the completeness and\naccuracy of the information in DITPR. The guidance requires that a Component\nCIO certify in writing that he or she has complied with FISMA, PIA, and privacy\n\n\n                                    32 \n\n\x0c    requirements. The DITPR guidance states that to have complete and authoritative\n    data, the Component CIO should implement automated controls, revise internal\n    business processes, and establish tracking mechanisms. At a minimum,\n    Component CIOs should update and maintain their Components\xe2\x80\x99 input to DITPR\n    quarterly. However, the guidance recommends that the CIO change from\n    updating each quarterly to updating every time the information changes.\n\n    The CIOs for the Army, Navy, Air Force, and Defense Threat Reduction Agency\n    did not correctly report in DITPR PIA information for 10 of 18 systems reviewed.\n    Specifically, the Army did not correctly report PIA information in DITPR for\n    one system, the Navy for four systems, the Air Force for four systems, and the\n    DoD agencies for one system. Additionally, the Navy CIO did not validate the\n    accuracy of information reported for the certification and accreditation status of\n    four systems. Before executing written certifications, CIOs need to implement\n    controls to correct PIA and related information in DITPR.\n\n\nPrior Reporting\n    DoD Inspector General Report No. D-2006-042, \xe2\x80\x9cSecurity Status for Systems\n    Reported in DoD Information Technology Databases,\xe2\x80\x9d December 30, 2005,\n    identifies that IT system information maintained in DITPR, previously known as\n    the IT Registry, was unreliable. The report cites that the database was not reliable\n    because the DoD CIO and Chief Financial Officer communities failed to enact\n    sufficient controls ensuring the accuracy and consistency of Component system\n    data. Additionally, the report identifies that ASD(NII)/DoD CIO did not enact\n    sufficient controls that would ensure the accuracy of information in DITPR.\n    Report No. D-2006-042 states that the DoD FISMA Report to OMB and Congress\n    was based on system data that were uncertified by DoD Components and that\n    OSD had no other internal control mechanism for validating the data that OSD,\n    OMB, and Congress used for management purposes. The report concluded that\n    the incorrect, inaccurate, and incomplete information in DITPR diminishes the\n    usefulness of the database for management oversight. The report also concludes\n    that unless DoD management develops and enforces effective internal quality\n    assurance controls over Component-controlled data in DITPR, the situation will\n    continue.\n\n    We recommended in DoD Inspector General Report No. D-2006-042 that\n    ASD(NII)/DoD CIO advise OMB and the Congress that DoD did not have viable\n    internal controls over the accuracy of data it is reporting on the security of its IT\n    systems and investments and caveat all reports based on data drawn from\n    unreliable databases, such as the IT Registry/DITPR and the Information\n    Technology Management Application/Select Native Programming \xe2\x80\x93 Information\n    Technology until effective internal controls are in place for at least one full year\n    reporting cycle. The report also recommends that the ASD(NII)/DoD CIO\n    develop internal controls other than Component CIO and Chief Financial Officer\n    certifications, report the discrepancies between DoD databases as a material\n    control weakness, and develop a Plan of Action and Milestones to track and\n    correct deficient conditions. Until such time as the ASD(NII)/DoD CIO\n\n\n\n                                         33 \n\n\x0c    effectively implements those recommendations, the information from DITPR\n    generated in reports to OMB and Congress will remain unreliable.\n\n    The inaccurate PIA information and the Naval Postgraduate Schools misreporting\n    of at least four systems in DITPR compounds the fact that the information in the\n    DoD FISMA Report to OMB and Congress is unreliable. Unreliable information\n    reported in the DITPR jeopardizes the efficient and effective management of IT\n    systems and potentially compromises protection of personal information. The\n    misreporting further demonstrates the need for ASD(NII)/DoD CIO to develop\n    and enforce effective internal quality assurance controls to ensure accuracy of the\n    DITPR information.\n\n\nConclusion\n    Component CIOs did not report accurate information in DITPR to the Office of\n    the Secretary of Defense, OMB, and the Congress. As a result, the Office of the\n    Secretary of Defense, OMB, and the Congress are making management and\n    budgetary decisions based on unreliable reports generated from DITPR-the sole\n    DoD-wide data repository for information at the system level for the status of\n    DoD information systems. System owners should complete PIAs when required\n    to guarantee that safeguards are in place to protect the public\xe2\x80\x99s personal\n    information and limit risks. Completed PIAs are not being provided to the DoD\n    CIO as required and the DoD CIO does not have an individual in place to track\n    PIAs. The accreditation status for Navy systems puts information on those\n    systems at risk.\n\n    ASD(NII)/DoD CIO and DoD Components must establish effective internal\n    controls to verify that the information in DITPR is accurate. Previous DoD\n    Inspector General audit reports identified inconsistencies and inaccuracies of the\n    information being reported in DITPR. This persistent problem further\n    demonstrates the need for ASD(NII)/DoD CIO to develop and enforce effective\n    internal quality assurance controls to ensure accuracy of the DITPR information.\n\n\nRecommendations, Management Comments, and Audit\n  Response\n    C.1. We recommend that the Assistant Secretary of Defense for Networks\n    and Information Integration/DoD Chief Information Officer:\n\n           a. Establish effective internal controls for DITPR; and\n\n    Management Comments. The ASD(NII)/DoD CIO concurred with the\n    recommendation. Annual DITPR guidance has institutionalized a data quality\n    improvement program with specific milestones. Data quality results are\n    emphasized and reported at monthly meetings of the Technical Solutions\n    Integrated Product Team and at bimonthly DITPR In-Process Reviews. The IT\n    Management Data Community of Interest has been established to begin building a\n\n\n                                        34 \n\n\x0cnetcentric capability for publishing and subscribing to all authoritative and\ncomplete DITPR data. Components will ensure that data they submit are\ncomplete and authoritative through a Verification and Validation study. The\nprocess should ensure that DITPR data elements across the Department are\npopulated and traceable to complete and authoritative data once fully\nimplemented.\n\nAudit Response. Management comments are partially responsive to the\nrecommendation. Although the proposed management corrective action is\nresponsive to the intent of the recommendation, ASD(NII)/DoD CIO did not\nprovide an estimated completion date for the corrective action as required by DoD\nDirective 7650.3, \xe2\x80\x9cFollow-up on General Accounting Office (GAO), DoD\nInspector General (DoD IG), and Internal Audit Reports,\xe2\x80\x9d June 3, 2004; Certified\ncurrent as of October 18, 2006. We request that ASD(NII)/DoD CIO provide the\nproposed completion date.\n\n       b. Appoint an official who will manage and track approved Privacy\nImpact Assessments sent to the Assistant Secretary of Defense for Networks\nand Information Integration/DoD Chief Information Officer.\n\nManagement Comments. Management concurred with the recommendation.\nASD(NII)/DoD CIO, Director of Management Services is assigned to manage and\ntrack PIAs.\n\nAudit Response. ASD(NII)/DoD CIO comments were responsive to the\nrecommendation; therefore, no further comments are required.\n\nC.2. We recommend that the Assistant Secretary of Defense for Networks\nand Information Integration/DoD Chief Information Officer require that\nDoD Component Chief Information Officers:\n\n      a. Evaluate the Component inventory of systems in the DoD\nInformation Technology Portfolio Repository to determine whether the\nsystems contain personally identifiable information to include information on\nDoD personnel;\n\nManagement Comments. ASD(NII)/DoD CIO concurred with the\nrecommendation. Management and the Component CIOs are evaluating systems\nthat contain personally identifiable information.\n\nAudit Response. The ASD(NII)/DoD CIO comments are partially responsive to\nthe recommendation. Although proposed management corrective action is\nresponsive to the intent of the recommendation, the ASD(NII)/DoD CIO did not\nprovide an estimated completion date for the corrective action as required by DoD\nDirective 7650.3. We request that ASD(NII)/DoD CIO provide the proposed\ncompletion date.\n\n        b. Validate that the Privacy Impact Assessment as well as security\nstatus information reported in the DoD Information Technology Portfolio\nRepository for the program offices is accurate before certifying to the DoD\nChief Information Office that the information is correct; and\n\n\n                                    35 \n\n\x0cManagement Comments. The ASD(NII)/DoD CIO concurred with the\nrecommendation. The revised PIA guidance and annual DITPR guidance will\nemphasize the importance of validating entries into DITPR and certifying that the\ninformation is correct. Reviews of the blank responses to the PIA trigger question\nand follow-ups with major Components to identify inconsistencies are being\nconducted. This data quality effort will continue until inconsistencies found in\nDITPR are corrected. A PIA and Privacy working group meeting is planned for\nlate March 2007 to provide awareness training and guidance.\n\nAudit Response. The ASD(NII)/DoD CIO comments are responsive to the\nrecommendation; therefore, no further comments are required.\n\n       c. Implement automated controls, revise internal business processes,\nand establish tracking mechanisms that will provide complete and accurate\ninformation to the DoD Information Technology Portfolio Repository.\n\nManagement Comments. Management concurred with the recommendation.\nReference Recommendation C.1.a.\n\nAudit Response. The ASD(NII)/DoD CIO comments are partially responsive to\nthe recommendation. Although management\xe2\x80\x99s proposed corrective actions are\nresponsive to the intent of the recommendation, ASD(NII)/DoD CIO did not\nprovide an estimated completion date for the corrective action as required by DoD\nDirective 7650.3. We request that ASD(NII)/DoD CIO provide the proposed\ncompletion date.\n\nC.3. We recommend that the Chief Information Officer, Naval Postgraduate\nSchool:\n\n      a. Immediately begin efforts to certify and accredit the Reporting\nSystem, the Electronic Time and Attendance Certification System, the\nManagement Information System, and the Python Education Management\nSystem in accordance with DoD policy.\n\nManagement Comments. The Naval Postgraduate School concurred with the\nrecommendation. Management has begun the process of the DoD IT Security\nCertification and Accreditation Process for all four systems. Once completed, the\nSystem Security Authorization Agreement for each system will be submitted to\nNaval Network Warfare Command, Operational Designated Approval Authority\nfor Approval to Operate. The estimated completion of this task is December 31,\n2007.\n\nAudit Response. Naval Postgraduate School comments were responsive to the\nrecommendation; therefore, no further comments are required.\n\n      b. Report to the Assistant Secretary of Defense for Networks and\nInformation Integration/DoD Chief Information Officer; the Chief\nInformation Officer, Department of the Navy; and in the DoD Information\nTechnology Portfolio Repository that the Departmental Online Reporting\nSystem, the Electronic Time and Attendance Certification System, the\n\n\n\n                                    36 \n\n\x0cManagement Information System, and the Python Education Management\nSystem are not certified or accredited.\n\nManagement Comments. The Naval Postgraduate School concurred with the\nrecommendation. Management is working with the Department of Navy CIO\noffice to accurately reflect the certification and accreditation status in the DITPR -\nDepartment of Navy. The estimated completion of this task is December 31,\n2007.\n\nAudit Response. The Naval Postgraduate School comments were responsive to\nthe recommendation; therefore, no further comments are required.\n\n       c. Require that the Designated Approving Authority for the\nDepartmental Online Reporting System, the Electronic Time and Attendance\nCertification System, the Management Information System, and the Python\nEducation Management System not grant any authority to operate until the\nsystem owners certify the systems to operate in an environment that\nwarrants an acceptable risk that the system\xe2\x80\x99s information is protected to the\nhighest level possible.\n\nManagement Comments. Management concurred with the recommendation.\nThe Naval Postgraduate School has completed the evaluation of the IA controls,\nthe minimum security checklist for each system, the local residual risk\nassessment, and the risk statement. The Naval Postgraduate School, system\nowner, has confirmed the appropriate security protections are in place for the\nsystems to process sensitive unclassified information. A Security Test and\nEvaluation is planned as part of the certification and accreditation process this\nyear. The estimated completion of this task is December 31, 2007.\n\nAudit Response. The Naval Postgraduate School comments were responsive to\nthe recommendation; therefore, no further comments are required.\n\n\n\n\n                                     37 \n\n\x0cAppendix A. Scope and Methodology \n\n   Privacy Impact Assessments. We queried DITPR to identify the Components\n   who were reporting that a PIA was or was not required for one or more of their\n   systems. On February 13, 2006, 188 systems were identified in DITPR as\n   requiring a PIA. We judgmentally selected 10 systems for review, 3 Army,\n   3 Navy, 2 Air Force, 1 TRICARE Management Activity, and 1 Defense Threat\n   Reduction Agency. We also selected two systems, one Air Force and\n   one Washington Headquarters Service system, that were reported in DITPR as not\n   requiring a PIA.\n\n   We visited the Privacy and CIO offices for the Departments of the Army, the\n   Navy, and the Air Force, the Defense Threat Reduction Agency, the Washington\n   Headquarters Service, and the TRICARE Management Activity and the following\n   12 program offices responsible for the security of the systems selected for review.\n   We reviewed whether system owners were correctly assessing whether a system\n   required a PIA, reporting accurate PIA information in DITPR, and submitting\n   PIAs to ASD(NII)/DoD CIO. We also reviewed whether the Components posted\n   PIAs to their public Web sites.\n\n          \xe2\x80\xa2\t Army Criminal Investigative Command, Fort Belvoir Army Base,\n             Fort Belvoir, Virginia\n\n          \xe2\x80\xa2\t Army Office of the General Council, Arlington, Virginia\n\n          \xe2\x80\xa2\t Army Corps of Engineers Finance Center, Millington, Tennessee and\n             the Corps of Engineers Program Office, Huntsville, Alabama\n\n          \xe2\x80\xa2\t Naval Criminal Investigative Service, Washington Navy Yard,\n             Washington, D.C.\n\n          \xe2\x80\xa2\t Navy Office of the Judge Advocate General, Washington Navy Yard,\n             Washington, D.C.\n\n          \xe2\x80\xa2\t Naval Postgraduate School, Monterey, California\n\n          \xe2\x80\xa2\t Air Force Reserve Command, Robins Air Force Base, Georgia\n\n          \xe2\x80\xa2\t Office of Special Investigations, Andrews Air Force Base, Maryland\n\n          \xe2\x80\xa2\t Air Force Air Mobility Command, Scott Air Force Base, Illinois\n\n          \xe2\x80\xa2\t Defense Threat Reduction Agency, Fort Belvoir Army Base,\n             Fort Belvoir, Virginia\n\n          \xe2\x80\xa2\t TRICARE Management Activity, Falls Church, Virginia\n\n          \xe2\x80\xa2\t Washington Headquarters Service, Arlington, Virginia\n\n\n\n\n                                       38 \n\n\x0cDuring our visits to the 12 program offices, we determined that the Navy and Air\nForce offices owned 6 additional systems. We reviewed 3 Navy and 3 Air Force\nsystems at these locations. We did not select additional systems for the Army\nbecause the offices visited did not own any additional systems to review. See\nAppendix B for the 18 systems selected for review.\n\nWe evaluated the PIA program based on the requirements in the E-Government\nAct, OMB Memorandums 03-22 and 06-20, the DoD PIA Guidance, the FY06\nDITPR Guidance, Army Regulation 340-21, SECNAV Instruction 5211.5E, and\nAir Force Instruction 33-332. The policy and guidance reviewed were dated from\nJuly 1985 through May 2006.\n\nWe conducted interviews with officials from ASD(NII)/DoD CIO responsible for\nthe DoD PIA Program; Component-level CIOs, Component-level Privacy, PIA,\nand FOIA officials; and Privacy, PIA, and FOIA officials at the program offices.\n\nDoD Privacy Program. At the 12 PIA program offices visited, we also met with\nprivacy program officials to assess compliance with the DoD Privacy Program.\nSpecifically, we reviewed systems of records in electronic and paper-based form,\nsystems notices reported in the Federal Registry, privacy training programs, DoD\nand non-DoD forms containing personally identifiable information, and privacy\nstaffing requirements at each office. We also reviewed personnel folders at the\nlocations to determine whether Privacy Act statements were included on forms\ncontaining personally protected information, filed in a system of records, and\nretrieved by personal identifier.\n\nWe interviewed officials and obtained documentation from ASD(NII)/DoD CIO,\nthe Defense Privacy Office, the Department of the Army CIO, Department of the\nArmy FOIA/Privacy Act office, Army Corps of Engineers Headquarters,\nSecretary of the Navy Chief of Naval Operations FOIA office, Navy CIO, and\nSecretary of the Air Force Warfighting Integration and CIO.\n\nWe evaluated the DoD Privacy Program based on the requirements of the Privacy\nAct of 1974, DoD Directive 5400.11, DoD Regulation 5400.11-R, and OMB\nMemorandum M-06-15. The policy and guidance reviewed were dated from\nSeptember 1974 through May 2006.\n\nWe performed this audit from January through December 2006 in accordance\nwith generally accepted government auditing standards.\n\nUse of Computer-Processed Data. We did not use computer-processed data to\nperform this audit.\n\nGovernment Accountability Office High-Risk Area. GAO identified several\nhigh-risk areas in DoD. This report provides coverage of the Protecting the\nFederal Government\xe2\x80\x99s Information-Sharing Mechanisms and the Nation\xe2\x80\x99s Critical\nInfrastructures high-risk area.\n\n\n\n\n                                   39 \n\n\x0cPrior Coverage\n      During the last 5 years, the GAO and the DoD Inspector General issued three\n      reports discussing the Privacy Act and PIAs. Unrestricted GAO reports can be\n      accessed over the Internet at http://www.gao.gov. Unrestricted DoD IG reports\n                                  HU                 UH\n\n\n\n\n      can be accessed at http://www.dodig.mil/audit/reports.\n                        HU                                UH\n\n\n\n\nGAO\n      GAO Testimony GAO 06-77T, \xe2\x80\x9cPrivacy, Key Challenges Facing Federal\n      Agencies,\xe2\x80\x9d May 17, 2006\n\nDoD IG\n      DoD IG Report D-2004-033, \xe2\x80\x9cTerrorism Information Awareness Program,\xe2\x80\x9d\n      December 12, 2003\n\n      DoD IG Report D-2006-042, \xe2\x80\x9cSecurity Status for Systems Reported in DoD\n      Information Technology Database,\xe2\x80\x9d December 30, 2005\n\n\n\n\n                                         40 \n\n\x0cAppendix B. \tForms Without Privacy Act\n             Statements\n   We identified the following forms in a system of records that did not contain a\n   Privacy Act statement:\n\n          \xe2\x80\xa2\t Department of the Army Form, \xe2\x80\x9cCertificate of Clearance and/or\n             Security Determination\xe2\x80\x9d\n\n          \xe2\x80\xa2\t Department of the Army Form 1256, \xe2\x80\x9cIncentive Award Nomination\n             and Approval\xe2\x80\x9d\n\n          \xe2\x80\xa2\t Department of the Army Form 7223, \xe2\x80\x9cBase System Civilian\n             Evaluation Report\xe2\x80\x9d\n\n          \xe2\x80\xa2\t DD Form 214, \xe2\x80\x9cCertificate of Release or Discharge from Active Duty\xe2\x80\x9d\n\n          \xe2\x80\xa2\t Form PD-21 \xe2\x80\x9cApplication Forms in the Distance Learning Product\n             Development for the 21st Century\xe2\x80\x9d\n          \xe2\x80\xa2\t Form W-4, \xe2\x80\x9cEmployee\xe2\x80\x99s Withholding Allowance Certificate\xe2\x80\x9d\n\n          \xe2\x80\xa2\t Form 7311, \xe2\x80\x9cWithholding Certificate for Local Taxes\xe2\x80\x9d\n\n          \xe2\x80\xa2\t Form 50271-101m, \xe2\x80\x9cConversation Record\xe2\x80\x9d\n\n          \xe2\x80\xa2\t Memorandum Form CICG SC 380-67, \xe2\x80\x9cNotice of Intention to Hire\xe2\x80\x9d\n\n          \xe2\x80\xa2\t Memorandum Form CISP PE 690, \xe2\x80\x9cEmergency Contact\xe2\x80\x9d\n\n          \xe2\x80\xa2\t Optional Form B 873, \xe2\x80\x9cPosition Description - D.C.\xe2\x80\x9d\n          \xe2\x80\xa2\t Standard Form 7-B, \xe2\x80\x9cRequest for Estimated Earnings During Military\n             Service\xe2\x80\x9d\n\n          \xe2\x80\xa2\t Standard Form 50-B, \xe2\x80\x9cNotification of Personnel Action\xe2\x80\x9d\n\n          \xe2\x80\xa2\t Standard Form 1199A, \xe2\x80\x9cDirect Deposit\xe2\x80\x9d\n\n          \xe2\x80\xa2\t Standard Form 2817, \xe2\x80\x9cLife Insurance Election\xe2\x80\x9d\n\n\n\n\n                                       41 \n\n\x0cAppendix C. \tSystems Reviewed for Privacy\n             Impact Assessments in the DoD\n             Information Technology Portfolio\n             Repository\n     We visited system owners to determine whether the PIA information for\n     18 systems was accurate in DITPR. Of the 18 systems reviewed, 12 systems were\n     reported in DITPR as requiring a PIA. System owners for 7 of the 18 systems\n     (39 percent) stated that the PIA information in DITPR was not correct; also, the\n     IA manager of 4 additional Navy systems stated that she did not know if the\n     information in DITPR was correct because her systems were not assessed. We\n     determined during our review that status reporting in DITPR for 10 of the\n     18 systems (56 percent) was not correct. The following is a list, by Component,\n     of the 18 systems reviewed.\n\n                                                      PIA Required\n                                                   DITPR      System        DITPR\n     Component             System Name              Data      Owner        Accurate\n    Army\n1                   Army Criminal Investigation      yes         no           no\n                    and Criminal Intelligence\n2                   Corps of Engineers Financial     yes         yes          yes\n                    Management System**\n3                   Financial Disclosure             yes         no           yes\n                    Management System**\n    Navy\n4                   Departmental Online              no          not          no\n                    Reporting System*                         assessed\n5                   Electronic Time and              yes         not          yes\n                    Attendance Certification*                 assessed\n6                   Management Information           no          not          no\n                    System**                                  assessed\n7                   Nautilus Case Tracking           yes         yes          yes\n                    System**\n8                   Naval Criminal Investigative     yes         no           no\n                    Service Case Management***\n\n\n\n\n                                        42 \n\n\x0c                                                                    PIA Required\n                                                                DITPR         System          DITPR\n       Component                   System Name                   Data         Owner          Accurate\n9                          Python Education                        no            not             no\n                           Management System**                                assessed\n      Air Force\n10                         Global Air Transportation               yes           yes             yes\n                           Execution System**\n11                         Investigative Information               yes           no              no\n                           Management System\n12                         Leave Request, Approval,                no            no              yes\n                           and Tracking System\n13                         Mortuary Operations                     no            no              no\n                           Management System**\n14                         Reserve Component                       yes           no              no\n                           Periodic Health System\n15                         Web Based Integrated                    yes           no              no\n                           Training System\n      Defense\n      Agencies\n16                         Arms Control Enterprise                 yes           no              no\n                           System***\n17                         Defense Blood Standard                  yes           yes             yes\n                           System**\n18                         Military Personnel                      no            no              yes\n*\n The system contains personally identifiable information on DoD personnel and should be reported in\nDITPR as requiring a PIA, in accordance with Navy PIA Guidance.\n**\n   The system contains personally identifiable information on the public and should be reported in DITPR\nas such.\n***\n    The system contains personally identifiable information on the public; however, it is exempt from\nconducting a PIA. A system is exempt from conducting a PIA if the system is a National Security System\nor has not been developed or significantly altered since the implementation of the E-Government Act\nof 2002.\n\n\n\n\n                                                   43 \n\n\x0cAppendix D. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense for Networks & Information Integration/DoD Chief\n   Information Officer\nAssistant Secretary of Defense (Health Affairs)\nDirector of Administration and Management\nDirector, Program Analysis and Evaluation\n\nDepartment of the Army\nAdministrative Assistant to the Secretary of the Army\nAuditor General, Department of the Army\nChief Information Officer, Department of the Army\nAuditor General, US Army Corps of Engineers\n\nDepartment of the Navy\nAssistant Secretary of the Navy (Manpower and Reserve Affairs)\nNaval Inspector General\nAuditor General, Department of the Navy\nChief Information Officer, Department of Navy\nPresident, Naval Postgraduate School\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\nChief Information Officer, Department of the Air Force\n\nCombatant Command\nInspector General, U.S. Joint Forces Command\n\n\n\n\n                                          44 \n\n\x0cOther Defense Organizations\nDirector, TRICARE Management Activity\nDirector, Washington Headquarters Service\nInspector General, Defense Threat Reduction Agency\nChief Information Officer, American Forces Information Service\nChief Information Officer, Defense Advanced Research Projects Agency\nChief Information Officer, Defense Contract Audit Agency\nChief Information Officer, Defense Contract Management Agency\nChief Information Officer, Defense Commissary Agency\nChief Information Officer, Defense Finance and Accounting Service\nChief Information Officer, Defense Human Resource Activity\nChief Information Officer, Defense Information Systems Agency\nChief Information Officer, Defense Logistics Agency\nChief Information Officer, Department of Defense Education Activity\nChief Information Officer, Defense Security Cooperation Agency\nChief Information Officer, Defense Security Service\nChief Information Officer, Defense Technical Information Center\nChief Information Officer, Defense Threat Reduction Agency\nChief Information Officer, DoD Test Resources Management Center\nChief Information Officer, Defense Technology Security Administration\nChief Information Officer, Missile Defense Agency\nChief Information Officer, Pentagon Force Protection Agency\nChief Information Officer, TRICARE Management Activity\nChief Information Officer, Washington Headquarters Service\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Homeland Security and Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Oversight and Government Reform\nHouse Subcommittee on Government Management, Organization, and Procurement,\n       Committee on Oversight and Government Reform\n\nHouse Subcommittee on National Security and Foreign Affairs, \n\n       Committee on Oversight and Government Reform\n\n\n\n\n\n                                         45 \n\n\x0c\x0cAssistant Secretary of Defense for Networks and\nInformation Integration/DoD Chief Information\nOfficer Comments\n\n\n                                          DEPARTMENT OF DEFENSE\n                                              6000 DEFENSE PENTAGON\n                                             WASHINGTON, DC 2 0 3 0 1 - 6 0 0 0\n\n\n\n                                                 0 7 MAR 2007\n    CHIEF INFORMATION OFFICER\n\n\n            MEMORANDUM FOR DEPUTY INSPECTOR GENERAL FOR AUDITING\n                             INSPECTOR GENERAL OF THE DEPARTMENT OF\n                             DEFENSE\n\n\n            SUBJECT: Draft Report on "DoD Privacy Program and Privacy Impact Assessments"\n                     (Project No. D-2006-D000AL-0087.00)\n\n\n                   Thank you for the opportunity to review the subject report. Attached is our\n\n            response to thefindingsand recommendations. We look forward to further coordination\n\n            ou this important topic, The DoD Chief Information Officer point of contact on this\n\n            matter is Mr. Gary Evans, (703) 604-1489, ext, 102.\n\n\n\n\n                                                 David     M. Wennergren\n                                                     Deputy Chief Information Officer\n\n           Attachment:\n           As stated\n\n\n\n\n                                                        47 \n\n\x0c     DoD CIO Response to DoD Office of Inspector General (OIG) Draft Audit Report, \n\n              "DoD Privacy Program and Privacy Impact Assessments" \n\n                         (Project No. D2006-D00AL-0087.000) \n\n\n\n\nSection B. DoD OIG Privacy Impact Assessment (PIA)\nRecommendations\nOIG Recommendation B.l. We recommend that the Assistant Secretary of Defense for\nNetworks and Information Integration/DoD Chief Information Officer, in coordination\nwith the Director of Administration and Management, Office of the Secretary of\nDefense/DoD Senior Privacy Official:\n\n        a. Determine the most appropriate management structure for overseeing a\nDepartment-level Privacy and PIA program in accordance with the requirements of the E-\nGovernment Act of 2002 and Office of Management and Budget Memorandum 03-22,\n"OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of\n2002," September 26, 2003, and subsequent Office of Management and Budget guidance\nfor Privacy Impact Assessments and protection of personally identifiable information\n\nResponse: Concur. After review of the current management structure, a decision to keep the\ncurrent management structure appears to be most appropriate. The Director, Defense Privacy\nOfficer, Office of Director, Administration and Management (DA&M) and the Office of the\nDoD CIO work closely on OMB requirements concerning protecting personally identifiable\ninformation and privacy impact assessments.\n\n        The Director, Administration and Management, Office of the Secretary of Defense, is the\ndesignated DoD Senior Privacy Officer and responsible for privacy policy. The DoD Chief\nInformation Officer responsibilities include but are not limited to information resources\nmanagement, information systems, and performance of the duties and fulfillment of the\nresponsibilities associated with information security and other matters under section 3544 of\nTitle 44, United Stales Code.\n\n        I>. Revise the charters of the Assistant Secretary of Defense for Networks and\nInformation Integration/DoD Chief Information Officer and the Director of\nAdministration and Management, Office of the Secretary of Defense/DoD Senior Privacy\nOfficial to reflect the conclusions reached under Recommendation B.l.a.\n\nResponse: NA. The current missions as recorded in DoD policies and regulations are\nappropriate.\n\n       c. Revise Assistant Secretary of Defense for Networks aud Information\nIntegration/DoD Chief Information Officer Memorandum, "Department of Defense (DoD)\nPrivacy Impact Assessment (PIA) Guidance," October 28, 2005, to reflect actions taken in\naccordance with Recommendations B.l.a. and B.l.b. and to:\n\n\n\n\n                                                                         Attachment (1)\n\n\n\n\n                                              48 \n\n\x0c     DoD CIO Response to DoD Office of Inspector General (OIG) Draft Audit Report, \n\n              "DoD Privacy Program and Privacy Impact Assessments" \n\n                        (Project No. D2006-D000AL-0087.000) \n\n\n          (1) Require that implementing guidance for the DoD Components\' revised \n\nmemorandum be reviewed and approved by the Assistant Secretary of Defense for \n\nNetworks and Information Integration/DoD Chief Information Officer and issued within \n\n60 days of publication of the revised Assistant Secretary of Defense for Networks and \n\nInformation Integration/DoD Chief Information Officer memorandum; \n\n\nResponse: Concur. The Office of the DoD CIO recommends 120 days instead of 60 days for\nthe Components to issue their implementing guidance.\n\n          (2) Require that all DoD Components forward PIAs to (he Assistant Secretary of\nDefense for Networks and Information Integration/DoD Chief Information Officer for\nreview and approval;\n\nResponse: Partially Concur. The Component CIOs are the subject matter experts to review\nand approve their system PIA. The Components will be required to submit their PIAs to the\nOffice of the DoD CIO after approved at the Component level for submission to the Office of\nManagement and Budget (OMB). The revised DoD PIA guidance will incorporate this\nrequirement in fourth Quarter FY07.\n\n           (3) Require that the Assistant Secretary of Defense for Networks and\nInformation Integration/DoD Chief Information Officer, rather than Component Chief\nInformation Officers be responsible for submitting approved privacy impact assessments to\nthe Office of Management and Budget;\n\nResponse: Concur, The revised DoD PIA guidance will incorporate this requirement.\n\n          (4) Require that all personally identifiable data for DoD employees be afforded\nthe same level of assessment and protection provided to data for the general public;\n\nResponse: Concur. The revised DoD PIA guidance will incorporate this recommendation. Of\nnote, DoD CIO Policy Memorandum, "Department of Defense Guidance on Protecting\nPersonally Identifiable Information (PII)," August 18, 2006, directed Components to ensure that\nall PII not explicitly cleared for public release be protected according to Confidentiality Level\nSensitive, as established in DoD Instruction 8500.2, "Information Assurance Implementation,"\nFebruary 6, 2003.\n\n          (5) Clarify how the privacy impact assessment request link on the\nWeb site of the Assistant Secretary of Defense for Networks and Information\nIntegration/DoD Chief Information Officer is responsive to the requirement of the\nE-Government Act to make privacy impact assessments publicly available;\n\nResponse: Concur. Currently, each Component maintains a repository of its PIAs. They arc\nrequired to be posted at a central location on the Component\'s public website until the system is\nterminated. The DoD CIO website maintains a "PIA Request" link to respond to public requests\nregarding DoD IT systems containing information in identifiable form. In the future, the DoD\n\n\n                                                2                          Attachment (I)\n\n\n\n\n                                                49 \n\n\x0c     DoD CIO Response to DoD Office of Inspector General (OIG) Draft Audit Report, \n\n              "DoD Privacy Program and Privacy Impact Assessments" \n\n                        (Project No. D2006-D000AL-0087.000) \n\n\nCIO PIA website will display a link to each Components PIA website listing all PIAs. Estimated\ncompletion date for this task is in fourth Quarter FY07.\n\n          (6) Specify the target audience and nature of training that DoD components are \n\nrequired to provide for privacy impact assessments. \n\n\nResponse: Concur. The nature of the training is to understand the requirements to do PIAs and\nthe DoD PIA guidance. The Office of the CIO annually briefs the DoD resource managers on\nthe PIA requirements for the major IT systems reported in the Exhibit 300s. In the near future\n(by July 31, 2007), the Office of the DoD CIO will review the curriculums at Defense\nAcquisition University and Information Resources Management College to ensure content is\ncaptured in their courses. In addition, we are in the process of adding PIA training content in the\nDISA Information Assurance training program, which is distributed DoD-wide. Expected\ncompletion July 31, 2007.\n\nB.2. We recommend that the Assistant Secretary of Defense for Networks and\nInformation Integration/DoD Chief Information Officer require that DoD\nComponent CIOs:\n\n        a. Disseminate Office of Management and Budget Memorandum 03-22\nand Assistant Secretary of Defense for Networks and Information\nIntegration/DoD Chief Information Officer October 28, 2005, privacy impact\nassessment guidance to all Component information technology system owners to\nassist them in conducting required privacy impact assessments, [tending receipt of\nrevised DoD and DoD Component guidance;\n\nResponse: Concur. Estimated completion date for this task is May 31, 2007.\n\n        b. Advise subordinate Component Chief Information Officers and privacy\nofficers that personally identifiable data for DoD employees should he afforded\nthe same level of assessment and protection offered to similar data from the\ngeneral public.\n\nResponse: Concur. The revised DoD PIA guidance will incorporate this recommendation.\n\nSection C. Reporting in the DoD Information\nTechnology Portfolio Repository (DITPR), DoD OIG\nRecommendations.\nC.l. We recommend that the Assistant Secretary of Defense for Networks and Information\nIntegration/DoD Chief Information Officer:\n\n       a. Establish effective internal controls for DITPR;\n\n\n                                                3                          Attachment (1)\n\n\n\n\n                                               50\n\x0c     DoD CIO Response to DoD Office of Inspector General (OIG) Draft Audit Report, \n\n              "DoD Privacy Program and Privacy Impact Assessments" \n\n                        (Project No. D2006-D000AL-0087.000) \n\n\n\nResponse: Concur. To establish and police effective internal controls, annual DITPR guidance\nhas institutionalized a data quality improvement program with specific improvement milestones,\nData quality results are emphasized and reported at each monthly Technical Solutions IPT\nmeeting and at the bi-monthly DITPR IPR, In addition, the DoD CIO has established an IT\nManagement Data Community of Interest (COI). This COI has begun the process of building a\nNet-Centric capability for publishing and subscribing to all authoritative and complete DITPR\ndata. As part of this process, each Component entering data into DITPR will document, in a\ndetailed Verification and Validation study, how they are assured that the data they arc submitting\nto DITPR is complete and authoritative. When fully implemented, the processes established by\nthe COI should ensure that DITPR data elements across the Department are populated and\ntraceable to complete and authoritative data.\n\n       b. Appoint an official who will manage and track approved privacy impact\nassessments sent to the Assistant Secretary of Defense for Networks and Information\nIntegration/DoD Chief Information Officer.\n\nResponse: Concur. The DoD CIO, Director of Management Services is assigned to manage\nand track privacy impact assessments and to work closely with the Director, Defense Privacy\nOfficer, Office of Director, Administration and Management. Action completed. Recommend\nclose out.\n\nC.2. We recommend that the Assistant Secretary of Defense for Networks and\nInformation Integration/DoD Chief Information Officer require that DoD\nComponent Chief Information Officers:\n\n      a. Evaluate the Component inventory of systems in the DoD Information\nTechnology Portfolio Repository to determine whether the systems contain\npersonally identifiable information to include information on DoD personnel;\n\nResponse: Concur, The Office of the DoD CIO and the Component CIOs are in the process of\nevaluating which systems contain PII in their systems.\n\n       b. Validate that the privacy impact assessment as well as security status information\nreported in the DoD Information Technology Portfolio Repository for the program offices\nis accurate before certifying to the DoD Chief Information Office that the information is\ncorrect; and\n\nResponse: Concur. The revised PIA guidance and annual DITPR guidance will emphasize the\nimportance of validating entries into DITPR and certifying that the information is correct. Since\nNovember 1, 2006, the Office of the DoD CIO PIA POC has been reviewing the validity of the\nPIA data and corresponding with the Components to correct their information. Over the last 4\nmonths, the Component PIA POCs have reduced the number of blank PIA trigger answers from\napproximately 800 in September 2006 to 179 blanks on February 27, 2007. In addition, follow-\nups are being conducted with the major Components to identify inconsistencies in their data,\n\n\n                                                4                          Attachment (1)\n\n\n\n\n                                                51 \n\n\x0c     DoD CIO Response to DoD Office of Inspector General (OIG) Draft Audit Report, \n\n              "DoD Privacy Program and Privacy Impact Assessments" \n\n                        (Project No. D2006-D00AL-0087.000) \n\n\nThis data quality effort will continue until the inconsistencies found in the DITPR arc corrected.\nOn February 16, 2007, the Office of the DoD CIO held a meeting with the major Components to\ndiscuss PIAs and issues. A PIA and Privacy working group meeting will be held in late March\n2007 to provide awareness training and guidance. The DoD OIG representatives will be invited\nto this meeting and future meetings of this working group.\n\n       c. Implement automated controls, revise internal business processes, and establish\ntracking mechanisms that will provide complete and accurate information to the DoD\nInformation Technology Portfolio Repository.\n\nResponse: Concur. The DoD CIO has established an IT Management Data COI. This COI has\nbegun the process of building a Net-Centric capability for publishing and subscribing to all\nauthoritative and complete DITPR data. As part of this process, each Component entering data\ninto DITPR will document, in a detailed Verification and Validation study, how they are assured\nthat the data they are submitting to DITPPR is complete and authoritative. When fully\nimplemented, the processes established by the COI should ensure that DITPR data elements\nacross the Department are populated and traceable to complete and authoritative data,\n\n\n\n\n                                                5                         \' Attachment (1)\n\n\n\n\n                                               52 \n\n\x0cDirector of Administration and Management\nComments\n\n\n                                    OFFICE OF THE SECRETARY OF DEFENSE \n\n                                                 1950 DEFENSE PENTAGON \n\n                                                WASHINGTON. DC 20301-1950 \n\n\n   MAR 14 2007\n   ADMINlSTRATION AND\n      MANAGEMENT\n\n\n\n\n                 MEMORANDUM FOR THE INSPECTOR GENERAL, DOD\n\n                 SUBJECT: Report on Audit of DoD Privacy Program and Privacy Impact Assessments\n                          (Project No. D2006-D000AL-0087.000)\n\n                    I appreciate the opportunity to review and comment on your draft audit report of the DoD\n                 Privacy Program.\n\n                     Except as otherwise noted in the attached comments. I generally concur with your Findings\n                 but not with your recommendations. As discussed in the attachment, the current or soon to be\n                 revised DoDD 5400.11 and DoD 5400.11-R appear to provide the necessary and appropriate\n                 guidance to the Military Departments and the DoD Components. However, I also am directing\n                 that a review of the DoD Privacy Program be conducted where, among other objectives, the\n                 effectiveness of the decentralized management approach to Privacy will be assessed, to include\n                 what personnel and resources may be required to strengthen the current program. The target date\n                 for completion of the review is in the fourth Quarter, FY 2007.\n\n                     Your audit, however, identifies a systemic problem that continues to impact the DoD Privacy\n                 Program, i.e., the failure of many in the DoD workforce to be cognizant of the applicable\n                 statutory and regulatory requirements for Privacy. As you would agree, absent a workforce that\n                 is sensitive and responsive to program requirements and demands, there will be failures. And\n                 while the failures are attributable to ignorance of the rules and regulations, and not to acts of\n                 malfeasance, the fact remains that the failures frustrate key objectives sought by Congress in the\n                 Privacy Act of 1974.\n\n                     I firmly believe that a viable training program, where individuals who interact with privacy\n                 protected information are made aware, and are subsequently reminded, of their reporting and\n                 safeguarding responsibilities under the law and implementing DoD/Component regulation, is the\n                 key to overcoming the present program deficiencies. As your report points out, a framework for\n                 Privacy training now exists in DoD 5400.11-R. The problem is that implementation of the\n                 training requirements is not uniform across the Components, principally because time and\n                 resource constraints impact a Component\'s ability to provide the needed training. But as you also\n                 have discovered during the audit, the Components are making use of technology, i.e., web-based,\n                 to reach their target audiences and to provide such training. As such training is expanded and\n                 fine-tuned, it is anticipated that workforce awareness of program requirements and demands will\n                 increase and that program vulnerabilities will decline.\n\n\n\n                                                       Michael B, Donley\n                                                       DoD Senior Privacy Official\n\n                 Attachment: \n\n                 As stated \n\n\n\n\n\n                                                               53 \n\n\x0cFinal Report \n\n Reference \n\n\n\n\n\n                                           DoDIG Project No. D2006-D000AL-0087.000\n\n                                "Report on Audit of DoD Privacy Program and Privacy Impact Assessments"\n\n                                              DoD Senior Privacy Official Comments\n\n                 Page 4.\n\n                 Finding. The report states that program failures occurred, in part, because the DoD Privacy\n                 Office (DPO) has not established oversight mechanisms for effective Program execution.\n\n                 The report does not acknowledge that DPO has a number of mechanisms in place, similar to those\n                 used by the Office of Management and Budget in its oversight role for Federal Privacy, that\n                 permits DPO to oversee the Component Privacy Programs. First, it has a dedicated technical\n                 channel with Component Privacy officials that provides DPO not only insight as to what is\n                 occurring in the Component but permits the Component to surface problems that they are\n                 encountering. Second, DPO exercises oversight in its role as a reviewing and approval authority\n                 for Privacy Act system of records notices. The review process provides a window into how the\n                 Components are complying with the requirements of the Act. Third, DPO exercises oversight via\n                 the Federal Information Security and Management Agency (FISMA) Privacy Report, a report\n                 card on how agencies are complying with Federal privacy mandates. As part of the Department\'s\n                 report to OMB, DPO prepares a narrative statement based> in part, on input provided by the DoD\n                 Components. In effect, the Components are tasked to assess their programs. The resulting input\n                 provides a window into how the Components arc viewing their respective Privacy Programs.\n                 This input also provides DPO an opportunity to assess the current health of the Component\'s\n                 Program. And fourth, the DoDIG and Component IGs are a means, as evidenced by the instant\n                 audit, to exercise oversight, a means that, until now, has not been frequently utilized,\n\n                 Page 6 and Appendix B.\n\n                 Finding. The report identifies a number of Forms that did not include a Privacy Act Statement\n                 (PAS).\n\n                 A review of each of the identified Forms was not conducted. However, Standard Form (SF) 2S17\n                 and the SF 1199A do contain a PAS. For the Form 2817, the location of the PAS is described at\n                 the top of page 1. For the Form 1199A, the PAS is set forth on the back of the Form under the\n                 heading ""Please Read This Carefully." And finally, SF 50-B does not require a PAS as\n                 information is not being collected directly from the individual.\n\nPages 11-16 \n    Pages 10-11.\n\n                 Recommendation a.(1). Modify DoDD 5400.11 to require DoD Components to provide bi\xc2\xad\n                 annual certifications to the DPO for review that Program requirements, e.g.. training, system of\n                 records notices. Privacy Act Statements, etc. are being implemented and followed.\n\n                 The report acknowledges that current program requirements are set forth in DoDD 5400.11 and\n                 DoD 5400.11-R. The Components are now under an affirmative obligation to ensure that the\n                 Program mandates are met. In turn, the Components have promulgated privacy issuances that\n                 reaffirm the requirements set forth in the DoD issuances.\n\n\n\n\n                                                               54 \n\n\x0cA biannual certification requirement will not remedy the deficiencies identified in the report nor\nwill it significantly contribute to the DPO exercising oversight over the Component\'s programs.\nAs the report makes clear, program execution is not due to the lack of guidance, but to the fact\nthat Component personnel are not always aware of the guidance. These failings will persist until\nthe workforce is sensitized to the demands and requirements of the program.\n\nComponent FISMA Privacy reporting is a much more effective tool for overseeing and reviewing\nComponent compliance with program requirements.\n\nRecommendation a.(2). Modify DoDD 5400.11 to require DoD Components to require that PASs\nare included on any DoD and non-DoD form used to collect identifiable information regardless of\nwho provides the information.\n\nThe report points out that DoD 5400.1l-R currently requires that Forms, whether DoD or not,\ncontain a PAS if the information is being collected directly from the individual and is to be filed\nin a Privacy Act system of records.\n\nNeither the Privacy Act nor the DoD guidance require that a PAS be provided by a third party\nwho is furnishing information about an individual. Congressional intent was that information be\ncollected to the greatest extent practicable from the individual and that when collecting such\ninformation that the individual is provided certain information so that he or she could make an\ninformed decision whether or not the information should be furnished. Congress, however,\nrecognized that this requirement may not be practical in all cases for financial or logistical\nreasons or because of other statutes. Such a case exists when supervisors or other administrative\npersonnel enter information into a Privacy Act system of records based on information that is\navailable to them. Such personnel are executing the duties of their offices and in order to\nproperly discharge those duties, the information must be entered.\n\nRecommendation a.(3). Modify DoDD 5400.11 to require that Privacy Officers receive\nmanagement privacy training within 90 days of appointment and include the privacy training\nrequirement in performance standards established by Privacy Officials.\n\nIt is agreed that, unless designated Privacy Officials are trained, their ability to execute a\nsuccessful Privacy Program is impacted. DoD 5400.1l-R, rather than DoDD 5400.11, will be\nchanged to incorporate this specific requirement.\n\nIncorporating a privacy training requirement into the performance standards of Privacy Officials\npossesses merit and warrants further study. This proposal will be evaluated as part of the DoD\nPrivacy Program review.\n\nRecommendation a.(4). Modify DoDD 5400.11 to require that individuals implementing privacy\nrequirements and/or handling personal information receive appropriate specialized training and\nmanagement training identified in DoD 5400.1l-R.\n\nThe current DoD Regulation on Privacy provides guidance on such training. The revised\nRegulation, which is undergoing final review, has been expanded to provide additional guidance\nas well.\n\nRecommendation a.(5). Modify DoDD 5400.11 to require annual Privacy Act Awareness\ntraining for all DoD employees that includes a certification for completion.\n\n\n\n                                                 2\n\n\n\n\n                                               55 \n\n\x0cHow often Privacy Awareness training should be offered and conducted is now at the discretion\nof the Components as they are in the best position of judging the need and frequency for such\ntraining.\n\nThe soon to be approved DoD Regulation on Privacy will provides that, insofar as personnel who\ninteract with privacy protected information are concerned, Components shall conduct training as\nfrequently as believed necessary so as to ensure that personnel are sensitive to the requirements of\nthe Regulation. The Regulation further will provide that Components shall give consideration to\nwhether annual training and/or annual certification should be mandated for all or specified\npersonnel whose duties and responsibilities require daily interaction with personally identifiable\ninformation.\n\nRecommendation b. Assess the DoD privacy program for staffing levels and resources required\nto enable Privacy officials to effectively fulfill their Privacy duties and recommend resource\nallocations to ensure a viable Privacy program.\n\nIt is agreed that Component staffing levels and resources should be assessed with a view of\ndetermining what can be done to enhance Program effectiveness. The Assessment will be\nconducted as part of the DoD Privacy Program review.\n\nRecommendation c. Modify DoDD 5400.11 to require Component Privacy Officials , in\ncoordination with the Component Chief Information Officers, support preparation of the\ncertifications required in Recommendation a.\n\nUnless a Component Chief Information Officer is responsible for the Component Privacy\nProgram, the Component CIO will not have a direct role in a Component\'s Privacy Program.\n\nThis does not mean that the Component ClOs do not have a critical role to play regarding\nPrivacy. They do. The CIO has primary responsibility for technical security of Component IT\nsystems. In this area, it can be said that there is a "shared" responsibility between the Component\nPrivacy Official and the Component CIO as the CIO responsibilities directly impact the\nComponent\'s Privacy Program. In effect, the Component Privacy Official relies on the\nComponent CIO to develop the appropriate technical safeguards that will safeguard personally\nidentifiable information in IT systems, thereby permitting the Component to be in compliance\nwith the Privacy Act and implementing DoD/Component authority.\n\nRecommendation c.(l), Modify DoDD 5400.11 to require Component Privacy Officials, in\ncoordination with the Component Chief Information Officers, to develop an authoritative\ninventory of Component systems of records containing personally identifiable information.\n\nDoD 5400.11-R presently requires that DPO maintain an authoritative inventory of Component\nPrivacy Act systems of records notices. The inventory, which is posted to the DPO web site at\nwww.dod.mil/privacy/notices, contains the notices for 1,174 systems of records. The inventory\ncovers automated (IT) systems, manual systems, and hybrid systems (part automated, part\nmanual).\n\nRecommendation c.(2). Modify DoDD 5400.11 to require Component Privacy Officials, in\ncoordination with the Component Chief Information Officers, to prepare system notices for the\ninventory of system of records being maintained.\n\n\n\n\n                                                 3\n\n\n\n\n                                               56 \n\n\x0cD o D 5400.11 presently imposes an affirmative obligation on DoD system managers to prepare\npromptly any required new, amended, or altered system notice for the system and to forward\nthem to the Component Privacy Official for review when a system qualifies as a Privacy A c t\nsystem o f records,.\n\nRecommendation c.(3) M o d i f y D o D D 5400,11 to require Component Privacy Officials, in\ncoordination with the Component Chief Information Officers, to oversee subordinate privacy\nprograms by conducting privacy reviews and verifying that privacy training is being conducted at\nall required levels,\n\nComponent Privacy Official are currently required, incident to providing input for the F I S M A\nPrivacy Report, to review their Privacy Programs, to include assessing whether their training\nprograms are ensuring that personnel are generally familiar with information privacy laws.\nregulations and policies and whether appropriate job-related training is being offered.\n\n\n\n\n                                                 4\n\n\n\n\n                                               57 \n\n\x0cNaval Postgraduate School Comments \n\n\n\n                                                  DEPARTMENT OF THE NAVY\n                                                     NAVAL POSTGRADUATE SCHOOL\n                                                           1UNIVERSITYCIR\n                                                                                                       MONTEREYCA 93943-5000 IN REPLY REFER TO\n                                                                                                            2 MaR 07\n\n\n       From:  President,           Naval P o s t g r a d u a t e School\n       To:   Department            o f t h e Navy - C h i e f I n f o r m a t i o n   Officer\n\n        Subj :    DODIG DRAFT OF A PROPOSED REPORT, DoD PRIVACY PROGRAM\n                  AND PRIVACY IMPACT ASSESSMENTS (PROJECT NO. D2006-D000AL-0087.000) \n\n\n        Ref:     {a}   DOD IG Memorandum o f F e b r u a r y 6, 2007\n                   (b) DODIG P r o j e c t No. D2006-DOOOAL-0087.000                   Draft    Report.\n\n        Encl:     (1)   Management Comments t o Recommendations\n\n        1. P e r r e f e r e n c e s (a) a n d (b) t h i s i s i n r e s p o n s e t o s u b j e c t d r a f t r e p o r t , of\n        6 February 2007, provided t o t h i s off ice for review and comment. Upon review\n        of the draft r e p o r t , we concur with the findings made by the O f f i c e of\n        I n s p e c t o r General [OIG], Department of Defense (DoD). NPS has addressed a l l\n        r e c o m m e n d a t i o n s a n d h a v e e i t h e r i m p l e m e n t e d o r a r e i n t h e p r o c e s s of.\n        implementing them.\n\n        7.  P l e a s e a d d r e s s any q u e s t i o n s t o Ms. Lynn Murch o r Ms. D e n i s e R o s s ,\n        Command E v a l u a t i o n , T e l : 8 3 1 . 6 5 6 . 2 5 5 7 / 2 7 5 1 o r e m a i l\n        lmurch@nps.edu/djross@nps.edu.\n\n\n\n                                                                 DAVID A. SMARSH\n                                                                 Chief Of S t a f f\n\n\n\n\n                                                                                                            Enclosure         (1)\n\n\n\n\n                                                              58 \n\n\x0c              Management Response to DoD IG Draft Audit Report, \n\n            Project No. D2006-D000AL-0087.000, DoD Privacy Program \n\n            and Privacy Impact Assessments, dated 6 February 2007 \n\n\nC. Reporting in the DoD Information Technoloqy Portfolio Repository. \n\n\nRecommendation C.3.a: Immediately begin efforts to certify and accredit the\nReporting System, the Electronic Time and Attendance Certification System,\nthe Management \n\nInformation System, and the Python education Management System in accordance \n\nwith DoD policy. \n\n\nManagement Comment: Concur. The four Naval Postgraduate School systems \n\nlisted in the DITPR-DON, the Departmental Online Reporting System, the \n\nElectronic Time and Attendance Certification System, the Management \n\nInformation System and the Python Education Management Systems have begun the \n\nprocess of the DoD Information Technology Security Certification and \n\nAccreditation Process (DITSCAF), The following portions of the DITSCAP have \n\nbeen completed: the contingency plans have been written and tested, the DoD \n\n8500.2 Information Assurance Controls that require annual review have been \n\nreviewed, the DoD 8510.l Minimum Security Checklist has been completed and a \n\nresidual risk assessment has been completed. We will conduct the Security \n\nTest and Evaluation and to complete the written documentation for the System \n\nSecurity Authorization Agreement {SSAA) on each system. The SSAA will then \n\nbe submitted to NETWARCOM, Operational DAA lor Approval to Operate (ATO). \n\n\nEstimated Completion Data:   The estimated date of completion is 31 Dec 07. \n\n\nRecommendation C.3.b: Report to the Assistant Secretary of Defense for \n\nNetworks and Information Integration /DoD Chief Information Officer; the Chief \n\nInformation Officer, Department of the Navy; and in the DoD Information \n\nTechnology Portfolio Repository that the Departmental Online Reporting \n\nSystem, the Electronic Time and Attendance Certification System, the \n\nManagement Information System, and the Python Education Management System are \n\nnot certified or accredited. \n\n\nManagemant Comment: Concur. The Naval Postgraduate School is currently \n\nworking with the Department of Wavy Chief information Officer\'s office to \n\naccurately reflect the certification and accreditation status in the DoD \n\ninformation Technology Portfolio Repository - Department of Navy. \n\n\nEstimated Completion Date: The estimated date of completion is 31 Dec 07. \n\n\nRecomendation C.3.c: Require that the Designated Approving Authority for \n\nthe Departmental Online Reporting System, the Electronic Time and Attendance \n\nCertification System, the Management Information System, and the Python \n\nEducation \n\nManagement System not grant any authority to operate until the system owners \n\ncertify the systems to operate in an environment that warrants an acceptable \n\nrisk that the system\'s information is protected to the highest level \n\npossible. \n\n\nManagement Comment: Concur. The Naval Postgraduate School has completed the \n\nevaluation of the information assurance controls, and the minimum security \n\nchecklist for each system. The residual risk assessment has been done \n\nlocally and the risk statement has been completed. The system owner, the \n\nNaval Postgraduate School, has confirmed the appropriate security protections \n\n\n\n\n\n                                     59 \n\n\x0care in place for the systems t o process s e n s i t i v e u n c l a s s i f i e d information,\nAdditionally,             a Security Test and Evaluation is planned as p a r t of the\nc e r t i f i c a t i o n and a c c r e d i t a t i o n process t h i s year.\nE s t i m a t e d Completion Data:   The estimated d a t e of completion is 31 Dec 07.\n\n\n\n\n                                              60 \n\n\x0cDepartment of the Navy Comments \n\n\n                                       DEPARTMENT OF THE NAVY\n                                       CHIEF INFORMATION OFFICER \n\n                                           IOOO NAVY PENTAGON \n\n                                       WASHINGTON DC 20350-lOOO \n\n                                                                                            8 March 2007\n\n     From: Department of the Navy Chief Information Officer\n\n     To:    Inspector General, Department of Defense\n            Audit Follow-up and GAO Affairs\n            400 Army Navy Drive\n            Arlington, VA 22202\n\n     Subj: DOD-IG PROJECT NO, D-2006-D000AL-0087.000, "REPORT ON AUDIT OF THE\n           DOD PRIVACY PROGRAM AND PRIVACY IMPACT ASSESSMENTS" \xc2\xad\n           RESPONSE TO DRAFT REPORT ISSUED 6 FEB 2007\n\n     Encl: (1) NAVPGSCOL ltr 3000 Ser 00/018 of 2 Mar 07\n\n              The above referenced audit report recommended revisions to the Department of the\n     Navy\'s (DON) Privacy Program. The DON Chief Information Officer (CIO) concurs with the\n     need to update the SECNAVINST 5211.5E in order to reflect changes in DON\'s management of\n     its Privacy Program and affected policies and practices. Specifically, SECNAVINST 521l.5E is\n     under review and will incorporate recommendations made by the Department of Defense\n     Inspector General (DoD-IG) audit team, as appropriate. The DON will implement the Privacy\n     Program requirements stipulated by the Office of Management and Budget (OMB) and the\n     Department of Defense (DoD) to ensure the security of Personally Identifiable Information (PII)\n     throughout the DON.\n\n             The DON agrees the ever-increasing threats to PII, through accelerated technological\n     advances, increases vulnerability. Significantly, the substantial increase in identity theft reports\n     necessitated additional financial, human, and equipment resources be devoted to the Privacy\n     Program effort. Accordingly, the DON took the following actions in concert with the DON\n     Privacy Act and Freedom of Information Act Office to reduce the threat and increase awareness\n     for our personnel:\n\n                 \xe2\x80\xa2\t   Updated the DON\'s privacy web site, including identification of all approved\n                      Privacy Act Systems of Records.\n                 \xe2\x80\xa2\t   Reviewed approximately one-third of the DON\'s system inventory to ensure\n                      proper reporting.\n                 \xe2\x80\xa2\t   Listed all changes to systems and posted these changes to the DON\'s privacy\n                      web site,\n                 \xe2\x80\xa2\t   Developed and posted required privacy training materials on the DON\'S privacy\n                      web site.\n                 \xe2\x80\xa2\t   Issued the SECNAVINST 5211.5E in December 2005, which is currently being\n                      revised to ensure compliance with recent regulatory changes.\n                 \xe2\x80\xa2\t   Formed Privacy working groups to address best practices and improve DON\n                      policy and guidance.\n                 \xe2\x80\xa2\t   Designated one Full Time Equivalent (FTE) in the Information Assurance (IA)\n                      section of the DON CIO to focus on Privacy Impact Assessments (PIA) and\n                      coordinate activities with the DON Privacy Act and Freedom of Information Act\n                      Office,\n\n\n\n\n                                                     61 \n\n\x0cSubj: DODIG PROJECT NO. D-2006-D000AL-0087.000, "REPORT ON AUDIT OF THE\n      DOD PRIVACY PROGRAM AND PRIVACY IMPACT ASSESSMENTS" \xc2\xad\n      RESPONSE TO DRAFT REPORT ISSUED 6 FEB 2007\n\n        In an effort to coordinate its policies within the DON, the DON Deputy CIO (Marine\nCorps) reports that it is drafting policy for the:\n\n           \xe2\x80\xa2\t   Initiation, processing, review, and submission of PIAs for information technology\n                systems.\n           \xe2\x80\xa2\t   Handling, maintaining, disposal, and training of personnel with regard to PII.\n           \xe2\x80\xa2\t   Reporting of loss or possible compromise of PII,\n\n        The DON CIO confirms the specific recommendations provided in the audit regarding\nthe Naval Postgraduate School were accepted and are being instituted. Enclosure (I) provides\nsubstantial details on actions being taken.\n\n        The DON has met the intent of the audit by committing additional resources, instituting\nappropriate changes to privacy policies and procedures, incorporating recommendations from\nseveral sources, and improving the Navy\'s and Marine Corps\' management of PII. We\nappreciate the DoD-IG\'s efforts in support of the DON to improve the effectiveness of our\nPrivacy Program.\n\n\n\n                                     John    J.     Lussier\n\n\nCopy to: \n\nNAVINSGEN (Attn: J. Gilbert) \n\nCNO (N61) \n\nCMC (C4) \n\n\n\n\n\n                                                  62 \n\n\x0cDepartment of the Air Force Comments \n\n\n\n\n                                 DEPARTMENT OF THE AIR FORCE\n\n\n\n\n    OFFICE OF THE SECRETARY\n                                                                                       8 March 2007\n\n        MEMORANDUM FOR DEPUTY INSPECTOR GENERAL FORAUDITING \n\n                  OFFICE OF THE INSPECTOR GENERAL \n\n                   DEPARTMENT OF DEFENSE \n\n       PROM: SAF/XC\n\n       subject:   DoDIG Draft Audit Report, DoD Privacy Program and Privacy Impact Assessments,\n                  (Project No. D2006-D000AL-0087.000)\n\n       1. This is in reply to your memorandum requesting the Assistant Secretary of the Air Force\n       (Financial Management and Comptroller) to provide Air Force comments on subject report.\n\n       2. I appreciate the opportunity to review and comment on your draft audit report of the DoD\n       Privacy Program relative to the AirForceportion.\n\n       3. The Air Force concurs, without comment, to the DoDIG audit Findings/Recommendations\n       associated with Section A, Privacy Act Program, and Section B, Privacy Act Impact\n       Assessments.\n\n       4. The SAF/XC POC is Ms. Novella S. Hill, Air Force Privacy Act Officer, (703) 588-7855,\n       novella.hiIl@pentagon.af.miI,\n\n\n\n                                                 WILLIAM T. LORD, Maj Gen, USAF\n                                                 Director, Information, Services and Integration\n                                                 Office of Warfighting Integration and\n                                                  Chief Information Officer\n\n\n\n\n                                                    63 \n\n\x0cTeam Members\nThe Department of Defense Office of the Deputy Inspector General for Auditing,\nReadiness and Operations Support prepared this report. Personnel of the\nDepartment of Defense Office of Inspector General who contributed to the report\nare listed below.\n\nKathryn M. Truex\nKaren J. Goff\nRobert R. Johnson\nZachary M. Williams\nBryan T. Clark\nXavier R. Zayas\n\x0c\x0c'